Kutholwe ukwenqaba ukuba sengozini kwensizakalo okuthinta isistimu

Ezinsukwini ezimbalwa ezedlule kukhishwe izindaba zokuthi ithimba lophenyo lika I-Qualys ithole ukwenqaba ukuba sengozini kwensizakalo ngenxa yokukhathala kwesitaki ku-systemd, ngakho-ke noma yimuphi umsebenzisi ongelona ilungelo angasebenzisa lobu bucayi ukuvimba systemd.

Ukuba sengozini esivele ikhathalogi njenge (CVE-2021-33910) Kushiwo ukuthi kuthinta i-systemd kubangelwa ukwehluleka lapho uzama ukufaka umkhombandlela ngosayizi wendlela omkhulu kuno-8 MB nge-FUSE nalapho inqubo yokuqalisa yokulawula (i-PID1) iphelelwa yimemori yesitaki futhi iyakhiya, ifaka uhlelo esimweni "sokwethuka".

Lokhu kuba sengozini kwethulwe ku-systemd v220 (Apr 2015) nge-commit 7410616c ("kernel: rework unit unit manipulation and logic logic"), ethathe isikhundla se-strdup () enqwabeni nge-strdupa () ebhetri. Ukuxhashazwa ngempumelelo kwalobu bucayi kuvumela noma imuphi umsebenzisi ongenalutho ukuthi abangele ukwenqatshwa kwenkonzo ngokwethuka kernel.

Ngokushesha nje lapho ithimba labacwaningi leQualys liqinisekisa ukuba sengozini, iQualys ibambe iqhaza ekudaluleni ngokucophelela ubungozi futhi yahlanganiswa nombhali kanye nemithombo evulekile yomthombo ukumemezela ubungozi.

Abaphenyi bakusho lokho inkinga okuhlobene ne-CVE-2021-33910 kuvela ngenxa yokuthi Abaqaphi besistimu futhi badlulisa okuqukethwe kwe / proc / self / mountinfo futhi iphatha iphoyinti ngalinye lentaba ku-unit_name_path_escape () umsebenzi odala ukuthi kwenziwe umsebenzi obizwa nge- "strdupa ()" onakekela ukwaba idatha esitaki esikhundleni senqwaba.

Yingakho kusukela ubukhulu besitaki esivunyelwe bunqunyelwe ngomsebenzi we- "RLIMIT_STACK", ukuphatha indlela ende kakhulu eya endaweni yokukhweza kubangela ukuthi inqubo ye "PID1" ilenge okuholela ekumisweni kohlelo.

Ngaphezu kwalokho, basho ukuthi ukuze kusebenze ukuze kusebenze, imojula elula kakhulu ye-FUSE ingasetshenziswa ngokuhlanganiswa nokusetshenziswa kwesikhombi esinezidleke kakhulu njengendawo yokuphakama, osayizi wendlela yakhe udlula u-8 MB.

Tambien Kubalulekile ukusho ukuthi abacwaningi beQualys khuluma ngecala elithile ngobungozi, kusukela ikakhulukazi nge-systemd version 248, ukuxhaphaza akusebenzi ngenxa yesiphazamiso esikhona kukhodi ye-systemd ebangela ukuthi / proc / self / mountinfo yehluleke. Kuyathakazelisa futhi ukuthi kwavela isimo esifanayo ngo-2018, ngenkathi ngizama ukubhala ukuxhashazwa kwe-CVE-2018-14634 yokuba sengozini ku-kernel yeLinux, lapho abacwaningi beQualys bathola khona okunye ukukhubazeka okubucayi ku-systemd.

Mayelana nokuba sengozini Iqembu leRed Hat okukhulunywe ngalo noma imuphi umkhiqizo ohambisana ne-RHEL nawo uzothinteka.

Lokhu kufaka:

  • Iziqukathi zomkhiqizo ezisuselwa kuzithombe zesitsha se-RHEL noma i-UBI. Lezi zithombe zibuyekezwa njalo, futhi isimo sesitsha esikhombisa ukuthi ngabe kukhona okungalungiswa kwaleli phutha kungabukwa ku-Container Health Index, ingxenye yeRed Hat Container Catalog (https://access.redhat.com/containers) .
  • Imikhiqizo edonsa amaphakheji esiteshini se-RHEL. Qiniseka ukuthi iphakethe le-Red Hat Enterprise Linux systemd lisesikhathini kulezi zindawo zomkhiqizo.

Ngenxa yobubanzi bendawo yokuhlasela yalesi sengozini, I-Qualys incoma ukuthi abasebenzisi basebenzise amabala afanele (ebesivele ikhishwe ezinsukwini ezimbalwa ezedlule) ngalokhu kuba sengozini ngokushesha.

Njengoba sekushiwo inkinga ivele selokhu i-systemd 220 (Apr 2015) kanye ne- isivele ilungisiwe ku- indawo yokugcina enkulu ye- systemd futhi kumisiwe ekusakazweni okuningi I-Linux main, kanye nokuphuma kwayo, ungabheka isimo kulezi zixhumanisi ezilandelayo (Debian, Ubuntu, Fedora, RHEL, SUSE, Arch).

Ekugcineni, uma unentshisekelo yokwazi kabanzi ngakho mayelana nobungozi, ungabheka imininingwane yakho Kulesi sixhumanisi esilandelayo.


Okuqukethwe yi-athikili kunamathela ezimisweni zethu ze izimiso zokuhlelela. Ukubika iphutha chofoza lapha.

Yiba ngowokuqala ukuphawula

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.