Kuenderera mberi kwemafashama, kutevedzana kwekusagadzikana muHTTP/2 kuita

Darkcrizt

5 maminitsi

ngozi

Kana dzikashandiswa, zvikanganiso izvi zvinogona kubvumira vanorwisa kuti vawane mukana usina mvumo kune ruzivo rwakadzama kana kuti kazhinji kukonzera matambudziko.

Ruzivo rwakaburitswa munguva pfupi yapfuura nezve nhevedzano yekusagadzikana iyo inokanganisa akati wandei maitirwo eiyo HTTP/2 protocol, pakati peiyo inonyanya kufarirwa, kusanganisira Apache httpd, Apache Traffic Server, pakati pevamwe.

Akanzi "Kuenderera mberi mafashamo", iyi nzira yekurwisa inogona kunanga maseva anotsigira HTTP/2.0 uye ine mukana wekupedza ndangariro, kumisa kukumbira kugadzirisa, kana kukonzera yakakwira CPU mutoro, inonoke kuitisa chikumbiro.

Kuenderera mberi mafashamo inonzi ine ngozi kupfuura iyo "Rapid Reset" kusagadzikana kwakawanikwa gore rapfuura, se inobvumira kukanganisa kana kuderedza zvakanyanya kushanda kwebasar nekuyerera kwezvikumbiro zvakagadzirirwa, kunyangwe kubva pakombuta yenguva dzose. Mune zvimwe zviitiko, nyore TCP yekubatanidza kuyerera inogona kukwana kuita kurwisa. Pamusoro pezvo, traffic yakabatana nerudzi urwu rwekurwisa haioneki nyore mumigwagwa yenguva dzose.

Zvinonzi Continuation flood iri mukugadziriswa kwe HEADERS uye CONTINUATION mafuremu muzvikumbiro zveHTTP/2. HEADERS mafuremu anoshandiswa kutumira misoro yeHTTP, ukuwo CONTINUATION mafuremu achishandiswa kupatsanura kutumira misoro yeHTTP kuita zvinhanho zvakawanda, kunyanya kana misoro isingakwane mufuremu imwe chete kana misoro ichifanirwa kutumirwa mumatanho akawanda. Nekugadzirisa mafuremu aya mune mamwe masanganiswa, kusagadzikana kunogona kushandiswa. uye tanga "Kuenderera mberi mafashamo" kurwisa.

Nzira yekurwisa "Kuenderera mberi mafashamo" zvinobva pakutumira mafuremu eCONTINUATION pasina kuseta END_HEADERS mureza, izvo zvinoita kuti misoro itumirwe kwakawanda kuseva uye zvinogona kupedza ndangariro dziripo pakuita. Pamusoro pezvo, kugadzira yakakwira CPU mutoro pamwe nekuneta kwendangariro, munhu anorwisa anogona kushandisa kudzvanya kwezviri mukati meCONTINUATION mafuremu achishandisa iyo HPACK fomati, inoda maverengero ekuongorora.

MuHTTP/1.1 protocol kuita, miganhu yakaiswa muhukuru hwemisoro uye isa nguva yekubuda kwekubatanidza kudzivirira kubva kune mafashama sevha ine misoro. Zvisinei, muHTTP/2, kuita kwakawanda hakuna kupa nzira dzakafanana kuchengetedzwa nekuda kwekuoma kweprotocol.

Kuenderera mberi kwemafashama kune njodzi kune vashandisi veNode.js (CVE-2024-27983), sezvo kuita uku kuchigona kutadza kugamuchira mafuremu mashoma anotumirwa neanorwisa. Nekuda kwemamiriro emujaho muNode.js, munhu anorwisa anogona kukonzeresa kuputsika nekuvhara ma connections paunenge uchitumira musoro usina kukwana.

Pazasi panoratidzwa runyoro rwekusagadzikana kwaonekwa mukati mezvirongwa zvakasiyana:

  • CVE-2024-27983 (Node.js): Anorwisa anogona kuita kuti Node.js HTTP/2 server isawanikwe nekutumira nhamba diki yeHTTP/2 furemu mapaketi ane mamwe HTTP/2 mafuremu mukati mawo, izvo zvinogona kukonzera nhangemutange mamiriro.
  • CVE-2024-27919 (Nhume): Envoy's oghttp codec haigadzirise chikumbiro kana mipimo yemepu yemusoro yadarika, zvichibvumira anorwisa kutumira nhevedzano yeCONTINUATION mafuremu asina kuseta END_HEADERS bit, zvichikonzera kushandiswa kwendangariro kusingagumi.
  • CVE-2024-2758 (Tempesta FW): Tempesta FW mwero miganho haigoneswe nekumisikidza kana kugadziridzwa zvisizvo, izvo zvinogona kutungamira kune yakawandisa zviwanikwa kushandiswa kana kubata zvisina kunaka kwezvikumbiro zveHTTP.
  • CVE-2024-2653 (amphp/http): ichaunganidza CONTINUATION HTTP/2 mafuremu kuisa mubhafa isina kuganhurwa uye haizotarise saizi yemusoro kusvika yawana END_HEADERS mureza, zvinogona kukonzera kuputsika kweOOM.
  • CVE-2023-45288 (Enda net/http uye net/http2): Aya mashandisirwo haadzikisire huwandu hweCONTINUATION mafuremu akaverengerwa chikumbiro cheHTTP/2, izvo zvinogona kukonzera yakawandisa CPU kushandiswa kana uchigadzira yakakura seti yemusoro.
  • CVE-2024-28182 (nghttp2): Kuitwa kunoshandisa raibhurari ye nghttp2 kucharamba kuchigamuchira CONTINUATION mafuremu uye hakuzofona kudzoka kuchishandiso kubvumira kuoneka kweruzivo urwu isati yagadzirisa rukova, izvo zvinogona kutungamira kuDoS.
  • CVE-2024-27316 (Apache Httpd): Anodenha anogona kutumira mafuremu eHTTP/2 CONTINUATION asina END_HEADERS mureza wakaiswa kunzira inoramba ichiyerera kuenda kuApache Httpd kuita, izvo zvisingazopedze chikumbiro nekukurumidza.
  • CVE-2024-31309 (Apache Traffic Server): Kurwiswa kweDoS kunogona kukonzera Apache Traffic Server kushandisa zvimwe zviwanikwa paseva.
  • CVE-2024-30255 (Nhume): Iyo HTTP/2 protocol stack muEnvoy shanduro 1.29.2 kana yapfuura iri panjodzi yekuneta neCPU nekuda kwemafashama eCONTINUATION mafuremu.

Kana iwe uchida kuziva zvakawanda nezvazvo, unogona kubvunza ruzivo Mune inotevera chinongedzo.


Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira iyo data: Miguel Ángel Gatón
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako