I-GitLab ixwayise abasebenzisi mayelana nokwanda komsebenzi omubi ohlobene nokuxhashazwa kokuba sengozini okubalulekile kwe-CVE-2021-22205, okubavumela ukuthi basebenzise ikhodi yabo bekude ngaphandle kokuqinisekisa kuseva esebenzisa inkundla yokuthuthukisa ukuhlanganyela ye-GitLab.
Inkinga ibilokhu ikhona ku-GitLab kusukela kunguqulo 11.9 futhi yalungiswa ngo-April lapho i-GitLab ikhipha 13.10.3, 13.9.6, kanye no-13.8.8. Nokho, uma sibheka ukuskena kwangomhla zingama-31 kuMfumfu kwenethiwekhi yomhlaba wonke yezimo ze-GitLab ezingu-60 ezitholakala esidlangalaleni, u-50% wamasistimu uyaqhubeka nokusebenzisa izinguqulo eziphelelwe yisikhathi ze-GitLab ezisengozini yokuba sengozini. Izibuyekezo ezidingekayo zifakwe ku-21% kuphela wamaseva ahloliwe, futhi kumasistimu angu-29% akwenzekanga ukunquma inombolo yenguqulo esetshenziswayo.
Isimo sengqondo sokunganaki sabaphathi beseva ye-GitLab ekufakeni izibuyekezo kwaholela eqinisweni lokuthi ubungozi buqale ukuxhashazwa abahlaseli, abaqala ukubeka uhlelo olungayilungele ikhompuyutha kumaseva futhi bawaxhuma nomsebenzi we-botnet ebamba iqhaza ekuhlaselweni kwe-DDoS. Esiqongweni sayo, umthamo wethrafikhi ngesikhathi sokuhlasela kwe-DDoS okukhiqizwa i-botnet okusekelwe eziphakelini ezisengozini ye-GitLab ifinyelele ku-terabits ongu-1 ngomzuzwana.
Ukuba sengozini kubangelwa ukucutshungulwa okungalungile kwamafayela esithombe alandiwe ngumhlaziyi wangaphandle ngokusekelwe kulabhulali ye-ExifTool. Ukuba sengozini ku-ExifTool (CVE-2021-22204) kuvumele imiyalo engafanele ukuthi isetshenziswe ohlelweni lapho kuncozululwa imethadatha kumafayela ngefomethi ye-DjVu: (imethadatha (Copyright "\ " . qx{echo test >/tmp/test} . \ "b"))
Ngaphezu kwalokho, njengoba ifomethi yangempela yanqunywa ku-ExifTool wuhlobo lokuqukethwe lwe-MIME, hhayi isandiso sefayela, umhlaseli angadawuniloda idokhumenti ye-DjVu ngokuxhashazwa ngaphansi kwesithombe se-JPG esivamile noma se-TIFF (i-GitLab ibiza i-ExifTool kuwo wonke amafayela ane-. jpg, izandiso ze-jpeg kanye ne-tiff yokuhlanza amathegi angadingekile). Isibonelo sokuxhaphaza. Ekucushweni okuzenzakalelayo kwe-GitLab CE, ukuhlasela kungenziwa ngokuthumela izicelo ezimbili ezingadingi ukuqinisekiswa.
Abasebenzisi be-GitLab bayanconywa ukuthi baqinisekise ukuthi basebenzisa inguqulo yamanje, futhi, uma basebenzisa ukukhishwa okuphelelwe yisikhathi, ukufaka ngokushesha izibuyekezo, futhi uma ngesizathu esithile lokhu kungenzeki, ukuze ukhethe ngokukhetha isiqeshana esivimba ukuba sengozini. Abasebenzisi bamasistimu angakopishiwe futhi bayelulekwa ukuthi baqinisekise ukuthi isistimu yabo ayifakwa engcupheni ngokuhlaziya amalogi kanye nokuhlola ama-akhawunti abahlaseli asolisayo (ngokwesibonelo, dexbcx, dexbcx818, dexbcxh, dexbcxi ne-dexbcxa99).
Source: opennet.ru