Emebela mmelite ngwa ngwa na sava Apache 2.4.50, nke na-ewepụ ihe ọghọm ụbọchị 0 ejirila arụ ọrụ (CVE-2021-41773), nke na-enye ohere ịnweta faịlụ sitere na mpaghara na-abụghị akwụkwọ ndekọ aha saịtị ahụ. N'iji adịghị ike ahụ, ọ ga-ekwe omume ibudata faịlụ usoro aka ike na ederede ederede nke ederede weebụ, nke onye ọrụ na-agụ nke sava http na-agba ọsọ. A mara ọkwa ndị mmepe maka nsogbu ahụ na Septemba 17, mana enwere ike wepụta mmelite ahụ naanị taa, ka edekọtara ikpe nke adịghị ike a na-eji na-awakpo weebụsaịtị na netwọkụ.
Mbelata ihe egwu dị na adịghị ike ahụ bụ na nsogbu ahụ na-apụta naanị na ụdị 2.4.49 ewepụtara na nso nso a na anaghị emetụta mwepụta niile mbụ. Alaka kwụsiri ike nke nkesa ihe nkesa enweghị nchekwa ejibeghị 2.4.49 ntọhapụ (Debian, RHEL, Ubuntu, SUSE), mana nsogbu ahụ metụtara nkesa na-aga n'ihu dị ka Fedora, Arch Linux na Gentoo, yana ọdụ ụgbọ mmiri nke FreeBSD.
Ọdịmma ahụ bụ n'ihi ahụhụ ewepụtara n'oge a na-edegharị koodu maka ịhazigharị ụzọ n'ime URI, n'ihi nke a agaghị eme ka agwa ntụpọ "% 2e" dị n'ụzọ ga-adị mma ma ọ bụrụ na ntụpọ ọzọ buru ya ụzọ. Ya mere, ọ ga-ekwe omume iji dochie mkpụrụedemede "../" raw n'ime ụzọ a ga-esi na ya pụta site n'ịkọpụta usoro ".% 2e/" na arịrịọ ahụ. Dịka ọmụmaatụ, arịrịọ dịka "https://example.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd" ma ọ bụ "https://example.com/cgi -bin /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts" nyere gị ohere ịnweta ọdịnaya nke faịlụ "/etc/passwd".
Nsogbu a anaghị eme ma ọ bụrụ na anabataghị ohere ịnweta akwụkwọ ndekọ aha n'ụzọ doro anya site na iji ntọala "chọrọ agọnahụ niile". Dịka ọmụmaatụ, maka nchekwa akụkụ, ị nwere ike ịkọwapụta na faịlụ nhazi: chọrọ ihe niile jụrụ
Apache httpd 2.4.50 na-edozikwa adịghị ike ọzọ (CVE-2021-41524) na-emetụta modul na-emejuputa usoro HTTP/2. Ọdịmma ahụ mere ka o kwe omume ibido nkwụsịtụ pointer efu site na izipu arịrịọ emepụtara pụrụ iche wee mee ka usoro ahụ daa. Adịghị ike a na-egosikwa naanị na ụdị 2.4.49. Dịka nchekwa nchekwa, ị nwere ike gbanyụọ nkwado maka protocol HTTP/2.
isi: opennet.ru