Ebipụtala ntọhapụ nkesa HTTP Apache 2.4.49, nke na-ewebata mgbanwe 27 ma dozie adịghị ike 5:
- CVE-2021-33193 - mod_http2 nwere ike ịnweta ụdị ọhụrụ nke mwakpo "HTTP Request Smuggling", nke na-enye ohere, site na izipu arịrịọ ndị ahịa ahaziri nke ọma, itinye onwe ya n'ime ọdịnaya nke arịrịọ sitere n'aka ndị ọrụ ndị ọzọ bufere site na mod_proxy (dịka ọmụmaatụ, ị nwere ike nweta ntinye nke koodu Javascript ọjọọ n'ime nnọkọ nke onye ọrụ ọzọ nke saịtị ahụ).
- CVE-2021-40438 bụ SSRF (Server Side Request Forgery) adịghị ike na mod_proxy, nke na-enye ohere ibugharị arịrịọ ahụ na sava nke onye mwakpo ahụ họọrọ site na izipu arịrịọ uri-ụzọ emebere nke ọma.
- CVE-2021-39275 - Mkpuchi oke na ọrụ ap_escape_quotes. Akara adịghị ike ahụ dị ka ihe na-adịghị mma n'ihi na modul ọkọlọtọ niile anaghị agafe data mpụga na ọrụ a. Mana ọ ga-ekwe omume na enwere modul ndị ọzọ nke enwere ike ibute mwakpo.
- CVE-2021-36160 - Apụghị oke na-agụ na modul mod_proxy_uwsgi na-ebute mkpọka.
- CVE-2021-34798 - NULL pointer dereference na-akpata ndakpọ usoro mgbe ị na-ahazi arịrịọ ndị emepụtara pụrụ iche.
Mgbanwe ndị kacha ama ama na-abụghị nchekwa bụ:
- Ọtụtụ mgbanwe dị n'ime mod_ssl. Ebuferela ntọala “ssl_engine_set”, “ssl_engine_disable” na “ssl_proxy_enable” site na mod_ssl gaa na ndochi isi (isi). Ọ ga-ekwe omume iji modul SSL ọzọ iji chebe njikọ site na mod_proxy. Agbakwunyere ike ịbanye igodo nzuzo, nke enwere ike iji na wireshark nyochaa okporo ụzọ ezoro ezo.
- Na mod_proxy, nlebanya nke ụzọ sọket unix gafere na “proxy:” URL agbagoro ngwa ngwa.
- Ike nke modul mod_md, nke ejiri na-emezi nnata na mmezi nke asambodo site na iji protocol ACME (Automatic Certificate Management Environment), agbasawanye. A na-ahapụ ya ka o jiri nhota ndị dị na ya gbaa gburugburu ma nye nkwado maka tls-alpn-01 maka aha ngalaba anaghị ejikọta na ndị ọbịa mebere.
- Agbakwunyere oke StractHostCheck, nke na-amachibido ịkọwa aha nnabata na-ahazighị n'etiti arụmụka ndepụta “ekwe”.
isi: opennet.ru