ProHoster > Π‘Π»ΠΎΠ³ > xov xwm hauv internet > Apache 2.4.49 http neeg rau zaub mov tso tawm nrog qhov tsis zoo tau kho

Apache 2.4.49 http neeg rau zaub mov tso tawm nrog qhov tsis zoo tau kho

Apache 2.4.49 HTTP neeg rau zaub mov tso tawm tau tshaj tawm, uas nthuav tawm 27 kev hloov pauv thiab kho 5 qhov tsis zoo:

  • CVE-2021-33193 - mod_http2 susceptibility to a new variant of HTTP Request Smuggling attack, uas tso cai, los ntawm kev xa cov neeg thov tsim tshwj xeeb, mus rau cov ntsiab lus ntawm lwm tus neeg siv cov lus thov kis ntawm mod_proxy (piv txwv li, koj tuaj yeem ua tiav qhov Kev hloov pauv ntawm qhov tsis zoo JavaScript code hauv kev sib kho ntawm lwm tus neeg siv ntawm lub xaib).
  • CVE-2021-40438 - SSRF (Server Side Request Forgery) vulnerability nyob rau hauv mod_proxy, uas tso cai, los ntawm kev xa ib tug tshwj xeeb tsim uri-path thov, redirect qhov kev thov mus rau lub server xaiv los ntawm tus neeg tawm tsam.
  • CVE-2021-39275 - Buffer overflow hauv ap_escape_quotes muaj nuj nqi. Qhov tsis zoo yog cim tias tsis muaj kev phom sij, vim tias txhua tus qauv modules tsis dhau cov ntaub ntawv sab nraud rau txoj haujlwm no. Tab sis nws yog theoretically ua tau tias muaj peb-tog modules los ntawm kev tawm tsam tuaj yeem ua.
  • CVE-2021-36160 - Out-of-bounds nyeem hauv mod_proxy_uwsgi module, ua rau muaj kev sib tsoo.
  • CVE-2021-34798 - Null pointer dereference ua rau cov txheej txheem sib tsoo thaum tuav cov lus thov tshwj xeeb.

Qhov tseem ceeb tshaj plaws kev hloov pauv tsis muaj kev ruaj ntseg yog:

  • Muaj ntau qhov kev hloov pauv sab hauv hauv mod_ssl. Cov "ssl_engine_set", "ssl_engine_disable" thiab "ssl_proxy_enable" chaw tau tsiv los ntawm mod_ssl mus rau lub ntsiab stuffing (core). Muaj peev xwm siv lwm SSL modules kom ruaj ntseg kev sib txuas ntawm mod_proxy tau muab. Ntxiv lub peev xwm los kaw cov yuam sij ntiag tug, uas tuaj yeem siv tau hauv wireshark los txheeb xyuas cov tsheb khiav nkag.
  • Mod_proxy nrawm parsing ntawm unix socket paths dhau hauv "proxy:" URLs.
  • Lub peev xwm ntawm mod_md module, uas yog siv los ua kom tau txais kev lees paub thiab kev saib xyuas cov ntawv pov thawj siv ACME (Automatic Certificate Management Environment) raws tu qauv, tau nthuav dav. Tso cai quoting ntawm domains hauv thiab muab kev txhawb nqa rau tls-alpn-01 rau cov npe sau npe tsis khi rau virtual hosts.
  • Ntxiv qhov kev xaiv StrictHostCheck kom lov tes taw unconfigured hostnames raws li kev sib cav rau cov npe "tso cai".

Tau qhov twg los: opennet.ru

Ntxiv ib saib