Abacwaningi abavela ku-Claroty kanye no-JFrog bashicilele imiphumela yokuhlolwa kwezokuphepha kwephakheji ye-BusyBox, esetshenziswa kabanzi kumadivayisi ashumekiwe futhi inikeza isethi yezinsiza ezijwayelekile ze-UNIX ezipakishwe efayeleni elilodwa elisebenzisekayo. Ngesikhathi sokuskena, kuhlonzwe ubungozi obuyi-14, osebuvele bulungisiwe ekukhishweni kuka-Agasti kwe-BusyBox 1.34. Cishe zonke izinkinga azinangozi futhi ziyangabazeka ngokombono wokusetshenziswa ekuhlaselweni kwangempela, njengoba zidinga izinsiza ezisebenzayo nezimpikiswano ezitholwe ngaphandle.
Ukuba sengozini okuhlukile yi-CVE-2021-42374, ekuvumela ukuthi ubangele ukwenqatshwa kwesevisi lapho ucubungula ifayela elicindezelwe eliklanywe ngokukhethekile nge-unlzma utility, futhi esimweni sokuhlanganisa ngezinketho ze-CONFIG_FEATURE_SEAMLESS_LZMA, nanoma yiziphi ezinye izingxenye ze-BusyBox, kuhlanganise i-tar, i-unzip, i-rpm, i-dpkg, i-lzma nendoda .
Ubungozi be-CVE-2021-42373, CVE-2021-42375, CVE-2021-42376 kanye ne-CVE-2021-42377 bungabangela ukwenqatshwa kwesevisi, kodwa kudinga ukuqhuba indoda, umlotha kanye nezinsiza zokuthulisa ngamapharamitha achazwe umhlaseli. Ubungozi be-CVE-2021-42378 ukuya ku-CVE-2021-42386 buthinta insiza ye-awk futhi bungase buholele ekusebenzeni kwekhodi, kodwa kulokhu umhlaseli udinga ukuqinisekisa ukuthi iphethini ethile yenziwa nge-awk (kudingeka ukuthi isebenze kabi ngedatha eyamukelwe. kusuka kumhlaseli).
Ukwengeza, ungakwazi futhi ukuqaphela ubungozi (CVE-2021-43523) kulabhulali ye-uclibc kanye ne-uclibc-ng, ngenxa yokuthi uma ufinyelela imisebenzi gethostbyname(), getaddrninfo(), gethostbyaddr() kanye ne-getnameinfo(), the Igama lesizinda alihloliwe futhi igama elihlanzekile libuyiselwe yiseva ye-DNS. Isibonelo, ekuphenduleni isicelo esithile sokulungiswa, iseva ye-DNS elawulwa umhlaseli ingabuyisela abasingathi njengokuthi “alert('xss').attacker.com” futhi izobuyiselwa ingashintshiwe ohlelweni oluthile. ukuthi, ngaphandle kokuhlanza kungababonisa kusixhumi esibonakalayo sewebhu. Inkinga yalungiswa ekukhishweni kwe-uclibc-ng 1.0.39 ngokwengeza ikhodi ukuze kuhlolwe ukufaneleka kwamagama esizinda abuyisiwe, asetshenziswa ngokufanayo ku-Glibc.
Source: opennet.ru