Mazuva mashoma apfuura nhau dzakaburitswa kuti timu yekuferefeta ye Qualys yakawana kuramba kwekushomeka kwebasa nekuda kwekuneta kwakazara mune systemd, saka chero musina-rombo rakanaka mushandisi anogona kushandisa izvi kunetseka kuvhara systemd.
Kunetseka yakatonyorwa kare se (CVE-2021-33910) Izvo zvinotaurwa kuti zvinokanganisa systemd zvinokonzerwa nekutadza kana kuyedza kukwidza dhairekitori ine saizi yegwara yakakura kupfuura 8 MB kuburikidza neFUSE uye umo maitiro ekutanga ekudzora (PID1) anomhanya kunze kwesitaki ndangariro uye inokiya kumusoro, ichiisa iyo system mune "kutya" nyika.
Uku kunetseka kwakaunzwa mu systemd v220 (Kubvumbi 2015) nekuzvipira 7410616c ("kernel: rework unit name manipulation and validation logic"), iyo yakatsiva strdup () pamurwi ne strdupa () mubhatiri. Kubudirira kubiridzira kweichi chinetso kunotendera chero mushandisi asina mukana kukonzera kukanganiswa kwebasa kuburikidza nekernel kuvhunduka.
Pakangoti timu yekutsvagisa yeQualys yasimbisa kusagadzikana, Qualys yakatora chikamu mukuzivisa pachena nezvekusasimba uye ikarongedzwa nemunyori uye yakavhurwa sosi yekuparadzira kuzivisa kusagadzikana.
Vatsvakurudzi vanotaura izvozvo dambudziko zvine hukama neCVE-2021-33910 inomuka nekuda kwekuti systemd monitors uye kupatsanura zvirimo zve / proc / self / mountinfo uye inobata nzvimbo yega yega yegomo mu unit_name_path_escape () basa rinokonzera oparesheni inonzi "strdupa ()" kuitiswa iyo inotarisira kugovera iyo dhata pane iyo stack panzvimbo yemurwi.
Ndokusaka kubvira hukuru hwakabvumidzwa saizi sosi yakaganhurirwa ne "RLIMIT_STACK" basa, kubata yakarebesa nzira inoenda kunzvimbo yegomo inokonzeresa kuti "PID1" maitiro aturike izvo zvinotungamira kune system kumira.
Uye zvakare, ivo vanotaura kuti kuitira kuti kurwiswa kuve kunoshanda, yakapusa FUSE module inogona kushandiswa mukubatana nekushandisa dhairekitori rakanyanya senzvimbo yegomo, iyo saizi yenzira inopfuura 8 MB.
Tambien Izvo zvakakosha kuti utaure kuti ivo veQualys vaongorori taura imwe nyaya nekukuvadzwa, kubvira kunyanya nesystemd vhezheni 248, kushandisa kwacho hakushande nekuda kwechirwere chiripo mune iyo systemd kodhi iyo inokonzeresa / proc / self / mountinfo kutadza. Zvinonakidzawo kuti mamiriro akafanana akafanana akabuda mu2018, sekuyedza kuyedza kushandisa kweCVE-2018-14634 kunetsekana muLinux kernel, umo vaongorori veQualys vakawana humwe hutatu hwakakomba muhurongwa.
Nezve kusagadzikana Red Hat timu yataurwa chero chigadzirwa chichienderana neRHEL chinoenderana chinogona zvakare kukanganisa.
Izvi zvinosanganisira:
- Zvigadzirwa zvemidziyo zvinoenderana neRHEL kana UBI mifananidzo yemidziyo. Iyi mifananidzo inovandudzwa nguva dzose, uye chimiro chemudziyo chinoratidza kana gadziriso riripo pane ichi chikanganiso rinogona kutariswa muContainer Health Index, chikamu cheRed Hat Container Catalog (https://access.redhat.com/containers) .
- Zvigadzirwa zvinokweva mapakeji kubva kuRHEL chiteshi. Ita shuwa kuti iri pasi peRed Hat Enterprise Linux systemd package iri parizvino munzvimbo dzechigadzirwa.
Nekuda kwehupamhi hwekurwisa pamusoro peiyi njodzi, Qualys inokurudzira kuti vashandisi vaise zvigamba zvakakodzera (iyo yakatoburitswa mazuva mashoma apfuura) nekuda kwekunetseka uku nekukasira.
Sezvambotaurwa dambudziko rakazviratidza kubvira systemd 220 (Kubvumbi 2015) uye yakatogadziriswa mukati iyo huru yekuchengetera ye systemd uye yakagadziriswa pane akawanda kugoverwa Linux main, pamwe nezvinobva kwazviri, unogona kutarisa chimiro mune zvinotevera zvinongedzoDebian, Ubuntu, Fedora, RHEL, SUSE, Arch).
Pakupedzisira, kana iwe uchifarira kuziva zvakawanda nezvazvo pamusoro pekukuvadzwa uku, unogona kutarisa iwo mamiriro acho Mune inotevera chinongedzo.