Ukukhishwa okusha kwesistimu yokuphatha yokumisa ephakathi nendawo i-SaltStack 3002.5, 3001.6 kanye ne-3000.8 kulungise ukuba sengozini (CVE-2020-28243) okuvumela umsebenzisi wendawo ongavikelekile womsingathi ukuthi akhulise amalungelo akhe ohlelweni. Inkinga ibangelwa iphutha kusibambi se-salt-minion esisetshenziselwa ukwamukela imiyalo evela kuseva emaphakathi. Ukuba sengozini kutholwe ngoNovemba, kodwa manje sekulungisiwe.
Lapho wenza umsebenzi "wokuhlola kabusha", kuyenzeka ukufaka esikhundleni semiyalo engafanele ngokukhohlisa igama lenqubo. Ikakhulukazi, isicelo sokuba khona kwephakheji senziwa ngokwethula umphathi wephakheji kanye nokudlulisa ingxabano etholakala egameni lenqubo. Umphathi wephakheji wethulwa ngokubiza umsebenzi we-popen kumodi yokuqalisa igobolondo, kodwa ngaphandle kokubalekela izinhlamvu ezikhethekile. Ngokushintsha igama lenqubo nokusebenzisa izimpawu ezinjengokuthi ";" kanye "|" ungahlela ukwenziwa kwekhodi yakho.
Ngokungeziwe enkingeni ephawuliwe, i-SaltStack 3002.5 ilungise ubungozi obungaphezulu obuyi-9:
- I-CVE-2021-25281 - ngenxa yokuntuleka kokuqinisekiswa okufanele kwegunya, umhlaseli oqhelile angakwazi ukwethula noma iyiphi imojula yesondo ohlangothini lweseva eyinhloko yokulawula ngokufinyelela i-SaltAPI futhi afake engcupheni yonke ingqalasizinda.
- I-CVE-2021-3197 iyinkinga kumojula ye-SSH ye-minion evumela ukuthi imiyalo yegobolondo ngokunganaki isetshenziswe ngokushintshanisa ingxabano ngokulungiselelwa kwe-“ProxyCommand” noma ukudlulisa izinketho ezingu-ssh_ nge-API.
- I-CVE-2021-25282 Ukufinyelela okungagunyaziwe ku-wheel_async kuvumela ucingo oluya ku-SaltAPI ukuze ibhale phezu kwefayela elingaphandle kohla lwemibhalo oluyisisekelo futhi ikhiphe ikhodi engafanele kusistimu.
- I-CVE-2021-25283 Inkomba eyisisekelo yokuba sengozini yokuphuma kwemingcele kusiphathi se-wheel.pillar_roots.write ku-SaltAPI ivumela isifanekiso esinganaki ukuthi singezwe kusinikezeli se-jinja.
- I-CVE-2021-25284 - amaphasiwedi asethwe ngama-webutils afakwe kumbhalo ocacile kulogi /var/log/salt/minion.
- I-CVE-2021-3148 - Ukushintshwa komyalo okungaba khona ngekholi ye-SaltAPI ku-salt.utils.thin.gen_thin().
- I-CVE-2020-35662 - Ukuqinisekiswa kwesitifiketi se-SSL akukho ekucushweni okuzenzakalelayo.
- I-CVE-2021-3144 - Amathuba okusebenzisa amathokheni okufakazela ubuqiniso be-euth ngemva kokuphelelwa yisikhathi.
- I-CVE-2020-28972 - Ikhodi ayizange ihlole isitifiketi seseva se-SSL/TLS, esivumele ukuhlaselwa kwe-MITM.
Source: opennet.ru