Abacwaningi abavela ku-Netflix naku-Google Kukhona ubungozi obuyisishiyagalombili ekusetshenzisweni okuhlukahlukene kwephrothokholi ye-HTTP/2 okungabangela ukwenqatshwa kwesevisi ngokuthumela ukusakazwa kwezicelo zenethiwekhi ngendlela ethile. Inkinga ithinta amaseva amaningi e-HTTP anokusekelwa kwe-HTTP/2 ngezinga elithile futhi iphumela esisebenzini esiphelelwa inkumbulo noma sidale umthwalo omningi we-CPU. Izibuyekezo ezisusa ubungozi sezivele zethulwa ngaphakathi ΠΈ , kodwa okwamanje ye-Apache httpd kanye .
Izinkinga zibangelwe yizinkinga ezethulwe kuphrothokholi ye-HTTP/2 ehambisana nokusetshenziswa kwezakhiwo kanambambili, uhlelo lokukhawulela ukugeleza kwedatha ngaphakathi kokuxhumana, indlela yokubeka phambili ukugeleza, kanye nokuba khona kwemilayezo yokulawula efana ne-ICMP esebenza ekuxhumekeni kwe-HTTP/2. ileveli (isibonelo, i-ping, setha kabusha, nezilungiselelo zokugeleza). Ukusetshenziswa okuningi akuzange kukhawule ngokufanelekile ukugeleza kwemilayezo yokulawula, akuzange kulawule kahle ulayini obalulekile lapho kucutshungulwa izicelo, noma kusetshenziswe ukusetshenziswa okuphansi kwama-algorithms okulawula ukugeleza.
Iningi lezindlela zokuhlasela ezikhonjiwe zehlela ekuthumeleni izicelo ezithile kuseva, okuholela ekukhiqizeni inani elikhulu lezimpendulo. Uma iklayenti lingafundi idatha kusokhethi futhi lingavali uxhumano, ulayini webhafa wokuphendula ohlangothini lweseva uyaqhubeka ugcwala. Lokhu kuziphatha kudala umthwalo ohlelweni lokulawula ulayini lokucubungula ukuxhumana kwenethiwekhi futhi, kuye ngezici zokuqalisa, kuholela ekuphelelweni kwenkumbulo etholakalayo noma izinsiza ze-CPU.
Ubungozi obuhlonziwe:
- I-CVE-2019-9511 (I-Data Dribble) - umhlaseli ucela inani elikhulu ledatha emicu eminingi ngokukhohlisa usayizi wewindi elislayidayo kanye nokubalulekile kwentambo, ukuphoqa iseva ukuthi ifake idatha kumugqa we-1-byte;
- I-CVE-2019-9512 (I-Ping Flood) - umhlaseli ulokhu efaka ushevu kumilayezo ye-ping ngoxhumano lwe-HTTP/2, okubangela ulayini wangaphakathi wezimpendulo ezithunyelwe ukuthi zikhukhule ngakolunye uhlangothi;
- I-CVE-2019-9513 (I-Resource Loop) - umhlaseli udala imicu yesicelo eminingi futhi ngokuqhubekayo eshintsha okubalulekile kochungechunge, okubangela ukuthi isihlahla esibalulekile sishove;
- I-CVE-2019-9514 (Setha kabusha Isikhukhula) - umhlaseli udala imicu eminingi
futhi ithumela isicelo esingavumelekile ngochungechunge ngalunye, okubangela iseva ukuthi ithumele ozimele be-RST_STREAM, kodwa ingabamukeli ukuze bagcwalise ulayini wezimpendulo; - I-CVE-2019-9515 (Isikhukhula Sezilungiselelo) - umhlaseli uthumela umfudlana wozimele "EZISETHINGI" ezingenalutho, ephendula lapho iseva kufanele ivume ukwamukela isicelo ngasinye;
- I-CVE-2019-9516 (0-Length Headers Leak) - umhlaseli uthumela uchungechunge lwezihloko ezinegama elingenalutho kanye nenani elingenalutho, futhi iseva yabela isigcinalwazi enkumbulweni ukuze sigcine unhlokweni ngamunye futhi singasikhiphi kuze kuphele isikhathi. ;
- CVE-2019-9517 (Internal Data Buffering) - umhlaseli uyavula
Iwindi elislayidayo le-HTTP/2 ukuze iseva ithumele idatha ngaphandle kwemikhawulo, kodwa igcina iwindi le-TCP livaliwe, ivimbela idatha ukuthi ingabhalwa ngempela kusokhethi. Okulandelayo, umhlaseli uthumela izicelo ezidinga impendulo enkulu; - I-CVE-2019-9518 (Izikhukhula Zozimele Ezingenalutho) - Umhlaseli uthumela ukusakaza kozimele bohlobo lwe-DATA, HEADERS, CONTINUATION, noma PUSH_PROMISE, kodwa ngokulayisha okungenalutho futhi alikho ifulegi lokunqanyulwa kokugeleza. Iseva ichitha isikhathi sicubungula uhlaka ngalunye, ngokungahambisani nomkhawulokudonsa osetshenziswa umhlaseli.
Source: opennet.ru