Ubuthathaka obunxulumene nokusetyenzwa okungalunganga kweedilesi ze-IP ezinamadijithi e-octal kwimisebenzi yokwahlulahlula idilesi ichongiwe kwiilayibrari ezisemgangathweni zeelwimi zeRust kunye neGo. Ubuthathaka bukwenza kube lula ukugqitha kukhangelo lweedilesi ezisebenzayo kwizicelo, umzekelo, ukulungisa ufikelelo kwiidilesi zojongano lweloopback (127.xxx) okanye ii-intranet subnets xa usenza uhlaselo lwe-SSRF (I-Server-side application forgery). Ubuthathaka buqhubeka nomjikelo weengxaki ezichongiweyo ngaphambili kwiilayibrari ze-node-netmask (JavaScript, CVE-2021-28918, CVE-2021-29418), yangasese-ip (JavaScript, CVE-2020-28360), ipaddress (Python, CVE- 2021-29921 ), Idatha:: Qinisekisa:: IP (Perl, CVE-2021-29662) kunye ne-Net:: Netmask (Perl, CVE-2021-29424).
Ngokwengcaciso, amaxabiso omtya wedilesi ye-IP aqala ngo-zero kufuneka atolikwe njengamanani e-octal, kodwa amathala eencwadi amaninzi awayithatheli ngqalelo le nto kwaye alahle nje i-zero, ephatha ixabiso njengenani lokugqibela. Umzekelo, inani elingu-0177 kwi-octal lilingana no-127 ngedesimali. Umhlaseli unokucela isibonelelo ngokucacisa ixabiso "0177.0.0.1", elibhalwe kwi-decimal notation lihambelana ne "127.0.0.1". Ukuba ithala leencwadi eliyingxaki liyasetyenziswa, isicelo asizukubona ukuba idilesi 0177.0.0.1 ikwi-subnet 127.0.0.1/8, kodwa enyanisweni, xa uthumela isicelo, inokufikelela kwidilesi β0177.0.0.1β, ethi imisebenzi yenethiwekhi iya kuqhubeka njengoko 127.0.0.1. Ngendlela efanayo, unokukopela isheke yokufikelela kwiidilesi ze-intranet ngokuchaza amaxabiso afana ne "012.0.0.1" (elingana no "10.0.0.1").
Kwi-Rust, ilayibrari eqhelekileyo "std::net" yachatshazelwa ngumba (CVE-2021-29922). Uluhlu lwedilesi ye-IP yeli thala leencwadi lilahle iqanda phambi kwamaxabiso kwidilesi, kodwa kuphela ukuba akukho manani angaphezu kwesithathu achaziweyo, umzekelo, β0177.0.0.1β iyakubonwa njengexabiso elingasebenziyo, kunye nesiphumo esingachanekanga. iya kubuyiselwa ngokuphendula kwi-010.8.8.8 kunye ne-127.0.026.1. Usetyenziso olusebenzisa i-std ::net::IpAddr xa ucazulula iidilesi ezichaziweyo zomsebenzisi zinokuba sesichengeni kwi-SSRF (Isicelo se-Server-side application forgery), i-RFI (iRemote File Inclusion) kunye nohlaselo lwe-LFI (Local File Inclusion). Ubuthathaka bulungiswe kwisebe le-Rust 1.53.0.
Kwi-Go, ithala leencwadi eliqhelekileyo elithi "net" liyachaphazeleka (CVE-2021-29923). Umsebenzi owakhelwe-ngaphakathi we-net.ParseCIDR utsiba ooziro abakhokelayo phambi kwamanani e-octal endaweni yokuwaqhuba. Umzekelo, umhlaseli angadlula ixabiso 00000177.0.0.1, leyo, xa ikhangelwe kwi-net.ParseCIDR(00000177.0.0.1/24) umsebenzi, iya kwahlulwa njenge-177.0.0.1/24, kwaye hayi 127.0.0.1/24. Ingxaki iphinda ibonakalise kwiqonga leKubernetes. Ukuba sesichengeni kulungiswe kukhupho lwe-Go 1.16.3 kunye ne-beta 1.17.
umthombo: opennet.ru