Kev tso tawm ntawm Apache HTTP neeg rau zaub mov 2.4.56 tau tshaj tawm, uas qhia txog 6 qhov kev hloov pauv thiab tshem tawm 2 qhov tsis zoo cuam tshuam nrog qhov muaj peev xwm ua "HTTP Thov Smuggling" tawm tsam rau pem hauv ntej-kawg-rov qab-kawg systems, tso cai rau kev nkag mus rau hauv cov ntsiab lus ntawm lwm tus neeg siv cov lus thov ua tiav hauv tib txoj xov ntawm frontend thiab backend. Qhov kev tawm tsam tuaj yeem siv los hla kev txwv tsis pub nkag mus lossis ntxig cov lej tsis zoo JavaScript rau hauv kev sib tham nrog lub vev xaib raug cai.
Thawj qhov tsis zoo (CVE-2023-27522) cuam tshuam rau mod_proxy_uwsgi module thiab tso cai rau cov lus teb tau muab faib ua ob ntu ntawm tus neeg sawv cev los ntawm kev hloov cov cim tshwj xeeb hauv HTTP header rov qab los ntawm qhov backend.
Qhov tsis zoo thib ob (CVE-2023-25690) muaj nyob hauv mod_proxy thiab tshwm sim thaum siv qee qhov kev thov rov sau cov cai siv RewriteRule cov lus qhia muab los ntawm mod_rewrite module lossis qee cov qauv hauv ProxyPassMatch cov lus qhia. Qhov tsis muaj zog tuaj yeem ua rau muaj kev thov los ntawm tus neeg sawv cev rau cov peev txheej sab hauv uas tsis tso cai nkag mus los ntawm lub npe, lossis ua rau lom ntawm cov ntsiab lus cache. Rau qhov tsis yooj yim rau kev tshwm sim, nws yog ib qho tsim nyog uas qhov kev thov rov sau cov cai siv cov ntaub ntawv los ntawm URL, uas tom qab ntawd hloov mus rau hauv qhov kev thov uas xa mus ntxiv. Piv txwv li: RewriteEngine ntawm RewriteRule β^/here/.*β Β» http://example.com:8080/elsewhere?$1β³ http://example.com:8080/elsewhere ; [P] ProxyPassReverse /here/ http://example.com:8080/ http://example.com:8080/
Ntawm cov kev hloov tsis ruaj ntseg:
- Tus chij "-T" tau ntxiv rau cov khoom siv hluav taws xob rotatelogs, uas tso cai rau, thaum tig cov cav, kom txiav cov ntaub ntawv txuas ntxiv yam tsis tau txiav cov ntaub ntawv thawj zaug.
- mod_ldap tso cai rau cov txiaj ntsig tsis zoo hauv LDAPConnectionPoolTTL cov lus qhia los teeb tsa kev rov siv dua ntawm kev sib txuas qub.
- Lub mod_md module, siv los ua kom tau txais daim ntawv lees paub thiab kev saib xyuas cov ntawv pov thawj siv ACME (Automatic Certificate Management Environment) raws tu qauv, thaum muab tso ua ke nrog libressl 3.5.0+, suav nrog kev txhawb nqa rau ED25519 digital kos npe scheme thiab accounting rau pej xeem daim ntawv pov thawj cov ntaub ntawv (CT , Certificate Transparency). MDChallengeDns01 cov lus qhia tso cai rau lub ntsiab lus ntawm kev teeb tsa rau tus kheej.
- mod_proxy_uwsgi tau nruj kev kuaj xyuas thiab txheeb xyuas cov lus teb los ntawm HTTP backends.
Tau qhov twg los: opennet.ru