Kulungiswe ubungozi ku-GitLab evumela ukufinyelela kumathokheni we-Runner

Darkcrizt

Imizuzu ye-4

ezinsukwini ezimbalwa ezedlule ku I-GitLab yambulwa ngeposi lebhulogi ukuthi abacwaningi baveze imininingwane yokuba sengozini ezokuphepha manje ezipeyishiwe ku-GitLab, isofthiwe ye-DevOps yomthombo ovulekile, engavumela umhlaseli okude ongagunyaziwe ukuthi abuyise ulwazi oluhlobene nomsebenzisi.

Ubungozi obukhulu, osebuvele bukhona ibhaliswe njenge-CVE-2021-4191, kubangwa iphutha elibucayi elimaphakathi elithinta zonke izinguqulo ze-GitLab Community Edition kanye ne-Enterprise Edition kusukela ngo-13.0 kanye nazo zonke izinguqulo ezisuka ku-14.4 nangaphambili kuno-14.8.

Kwakungu-Jake Baines, umcwaningi omkhulu wezokuphepha kwa-Rapid7, odume ngokuthola nokubika iphutha, okwathi ngemva kokudalulwa okunomthwalo wemfanelo ngoNovemba 18, 2021, wakhipha izilungiso njengengxenye yokukhishwa kwezokuphepha okubalulekile. 14.8.2 no-14.7.4 okuthi ingavumela umsebenzisi ongagunyaziwe ukuthi abambe amathokheni okubhalisa ku-GitLab Runner, esetshenziselwa ukuhlela izibambi zezingcingo lapho udala ikhodi yephrojekthi ohlelweni lokuhlanganisa oluqhubekayo.

"Ubungozi buwumphumela wokuhlolwa kokuqinisekisa okungekho lapho kwenziwa izicelo ezithile ze-GitLab GraphQL API," kusho u-Baines. okukhulunywe ngakho embikweni okhishwe ngoLwesine. "Umhlaseli okude ongagunyaziwe angasebenzisa lobu bungozi ukuze avune amagama abasebenzisi abhalisiwe e-GitLab, amagama, namakheli e-imeyili."

Ukwengeza, kushiwo ukuthi uma usebenzisa ama-Kubernetes executors, kufanele ubuyekeze amanani weshadi le-Helm. ngethokheni yokubhalisa entsha. 

Futhi lokho ezimeni ozilawulayo ezingekho ezinguqulweni ezingu-14.6 noma kamuva, i-GitLab ine amapheshana athunyelwe engasetshenziswa ukuze kwehliswe ukudalulwa kwethokheni yokubhaliswa komgijimi ngokuba sengozini wezenzo ezisheshayo  La mapheshana kufanele abhekwe njengesikhashana. Noma isiphi isenzakalo se-GitLab kufanele sithuthukiswe ukuze sibe inguqulo enamathiselwe kakhudlwana engu-14.8.2, 14.7.4, noma 14.6.5 ngokushesha okukhulu.

Ukuxhashazwa okuphumelelayo kokuvuza kwe-API ingavumela abadlali abanonya ukuthi babale futhi bahlanganise uhlu lwamagama abasebenzisi asemthethweni okuhlosiwe engase isetshenziswe njengesisekelo sokuhlasela kwe-brute-force, okuhlanganisa ukuqagela iphasiwedi, ukufafaza ngephasiwedi, kanye nokugxilisa imininingwane.

"Ukuputshuka kolwazi kuvumela umhlaseli ukuthi enze uhlu lwamagama olusha lomsebenzisi olususelwe ekufakweni kwe-GitLab, hhayi kuphela kusuka ku-gitlab.com kodwa nakwezinye izikhathi ezingu-50,000 ze-GitLab ezitholakala ku-inthanethi."

Kunconywa kubasebenzisi abagcina ukufakwa kwabo kwe-GitLab ukufaka isibuyekezo noma ukusebenzisa ipheshi ngokushesha ngangokunokwenzeka. Le nkinga yalungiswa ngokushiya ukufinyelela emiyalweni yesenzo esisheshayo kuphela kubasebenzisi abanemvume yokubhala.

Ngemva kokufaka isibuyekezo noma amapheshana angawodwana "esiqalo-sesiqalo", amathokheni okubhaliswa adalwe ngaphambilini amaqembu namaphrojekthi kokuthi Runner azosethwa kabusha futhi enziwe kabusha.

Ngaphezu kokuba sengozini enkulu, izinguqulo ezintsha ezikhishiwe futhi zifaka phakathi ukulungiswa kobungozi obuncane obu-6:

  • Ukuhlaselwa kwe-DoS ngohlelo lokuhambisa impendulo: inkinga ku-GitLab CE/EE ethinta zonke izinguqulo eziqala ngo-8.15. Kube nokwenzeka ukwenza i-DOS isebenze ngokusebenzisa umsebenzi wezibalo ngefomula ethile kumazwana enkinga.
  • Ukwengeza abanye abasebenzisi emaqenjini ngumsebenzisi ongenamalungelo: ethinta zonke izinguqulo zangaphambi komhla ka-14.3.6, zonke izinguqulo ezisuka ku-14.4 ngaphambi komhla ka-14.4.4, zonke izinguqulo zisuka ku-14.5 ngaphambi komhla ka-14.5.2. Ngaphansi kwezimo ezithile, i-GitLab REST API ingavumela abasebenzisi abangenalo ilungelo ukuthi bengeze abanye abasebenzisi emaqenjini, ngisho noma lokho kungenakwenzeka nge-UI yewebhu.
  • Ulwazi olungelona iqiniso lwabasebenzisi ngokukhohliswa kokuqukethwe Kwamazwibela: ivumela umlingisi ongagunyaziwe ukuthi enze Amazwibela anokuqukethwe okukhohlisayo, okungase kukhohlise abasebenzisi abangaqaphile ukuthi basebenzise imiyalo engafanele.
  • Ukuvuza kwezinto eziguquguqukayo zemvelo ngendlela yokulethwa kwe-"sendmail": Ukuqinisekisa okokufaka okungalungile kuzo zonke izinguqulo ze-GitLab CE/EE kusetshenziswa i-sendmail ukuthumela ama-imeyili kuvumele umlingisi ongagunyaziwe ukuthi antshontshe okuguquguqukayo kwemvelo ngamakheli e-imeyili aklanywe ngokukhethekile.
  • Ukunquma ubukhona bomsebenzisi nge-GraphQL API: Izimo eziyimfihlo ze-GitLab ezinokubhaliswa okukhawulelwe zingase zibe sengcupheni yokubalwa kwabasebenzisi ngabasebenzisi abangagunyaziwe nge-GraphQL API.
  • ukuvuza kwephasiwedi lapho ubuka amakhosombe nge-SSH kumodi yokudonsa 

Okokugcina uma unentshisekelo yokwazi kabanzi ngakho, ungabheka imininingwane kufayela le- isixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Unomthwalo wemfanelo ngedatha: AB Internet Networks 2008 SL
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.