ProHoster > Blog > internet nhau > Apache 2.4.49 http server kuburitswa ine vulnerabilities yakagadziriswa

Apache 2.4.49 http server kuburitswa ine vulnerabilities yakagadziriswa

Iyo Apache HTTP server 2.4.49 yakaburitswa, ichiunza 27 shanduko uye kubvisa 5 kusagadzikana:

  • CVE-2021-33193 - mod_http2 inobatwa nekusiyana kutsva kwe "HTTP Chikumbiro Smuggling" kurwiswa, iyo inobvumira, nekutumira zvakagadzirirwa zvakagadzirirwa zvikumbiro zvevatengi, kuzvipinza mukati mezviri mukati mezvikumbiro kubva kune vamwe vashandisi zvinofambiswa kuburikidza nemod_proxy (semuenzaniso, unogona kuzadzisa kuiswa kweiyo yakaipa JavaScript kodhi muchikamu chemumwe mushandisi wesaiti) .
  • CVE-2021-40438 ndeye SSRF (Server Side Chikumbiro Forgery) kusagadzikana mune mod_proxy, iyo inobvumira kuti chikumbiro chidzoserwe kune sevha inosarudzwa neanorwisa nekutumira yakanyatsogadzirwa uri-nzira chikumbiro.
  • CVE-2021-39275 - Buffer kufashukira mune ap_escape_quotes basa. Kusagadzikana kwacho kunoratidzwa seyakanaka nekuti ese akajairwa mamodule haapfuure ekunze data kune iri basa. Asi zvinogoneka kuti kune wechitatu-bato modules kuburikidza nekurwiswa kunogona kuitwa.
  • CVE-2021-36160 - Out-of-bounds inoverenga mune mod_proxy_uwsgi module ichikonzera tsaona.
  • CVE-2021-34798 - A NULL pointer dereference inokonzeresa kuparara kana uchigadzirisa zvikumbiro zvakagadzirirwa.

Shanduko dzinonyanya kuzivikanwa dzisiri dzekuchengetedza ndeidzi:

  • Zvakawanda zvemukati shanduko mu mod_ssl. Izvo zvigadziriso "ssl_engine_set", "ssl_engine_disable" uye "ssl_proxy_enable" zvakatamiswa kubva mod_ssl kuenda kune main filling (core). Zvinogoneka kushandisa mamwe maSSL mamodule kuchengetedza zvinongedzo kuburikidza nemod_proxy. Yakawedzera kugona kurodha yakavanzika makiyi, ayo anogona kushandiswa muwireshark kuongorora yakavharidzirwa traffic.
  • Mune mod_proxy, kupatsanurwa kwe unix socket nzira dzakapfuudzwa mu "proxy:" URL yakakwidziridzwa.
  • Kugona kweiyo mod_md module, inoshandiswa kugadzirisa risiti nekuchengetedza zvitupa uchishandisa ACME (Automatic Certificate Management Environment) protocol, yakawedzerwa. Inotenderwa kutora madomasi mu uye yakapa rutsigiro rwe tls-alpn-01 yemazita emadomasi asina hukama nevaridzi vepano.
  • Yakawedzera iyo StrictHostCheck parameter, iyo inorambidza kutsanangura asina kugadziridzwa mazita evatambi pakati pe "bvumira" runyorwa nharo.

Source: opennet.ru

Voeg