Yechimbichimbi yekuvandudza kune Apache 2.4.50 http server yakagadzirwa, iyo inobvisa yakatoshandiswa kushandiswa kwemazuva-0-kusagadzikana (CVE-2021-41773), iyo inobvumira kuwana mafaera kubva kunzvimbo dziri kunze kwesaiti dhairekitori. Uchishandisa kusazvibata, zvinokwanisika kudhawunirodha mafaera ehurongwa uye zvinyorwa zvepawebhu, zvinoverengwa nemushandisi ari pasi pesevha ye http. Vagadziri vakaziviswa nezvedambudziko munaGunyana 17, asi vakakwanisa kuburitsa iyo update chete nhasi, mushure mezviitiko zvekusagadzikana kuri kushandiswa kurwisa mawebhusaiti zvakanyorwa pane network.
Kuderedza njodzi yekusagadzikana ndeyekuti dambudziko rinongowanikwa mune ichangoburwa vhezheni 2.4.49 uye harina kukanganisa kuburitswa kwekutanga. Mapazi akagadzikana ekuchengetedza server kugovera haasati ashandisa iyo 2.4.49 kuburitswa (Debian, RHEL, Ubuntu, SUSE), asi dambudziko rakakanganisa kuenderera mberi kwakagadziridzwa kugovera seFedora, Arch Linux neGentoo, pamwe nemadoko eFreeBSD.
Kusagadzikana uku kunokonzerwa nebug yakaunzwa panguva yekunyora patsva kwekodhi yekujairisa nzira muURIs, nekuda kwekuti "% 2e" encoded dot character munzira yaisazogadziriswa kana ikatangirwa nerimwe doti. Saka, zvainge zvagoneka kutsiva mavara “../” mugwara rinenge rabuda nekudoma nhevedzano “.%2e/” muchikumbiro. Semuenzaniso, chikumbiro chakaita sekuti “https://example.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd” kana “https://example.com/cgi -bin /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts" akakubvumira kuti uwane zviri mukati mefaira "/etc/passwd".
Dambudziko harisi kuitika kana kuwana madhairekitori kwarambwa zviripachena uchishandisa "inoda zvese zvakarambwa". Semuenzaniso, kuitira kudzivirira zvishoma iwe unogona kutsanangura mune yekumisikidza faira: zvinoda kurambwa zvose
Apache httpd 2.4.50 inogadzirisawo imwe njodzi (CVE-2021-41524) inokanganisa module inoshandisa HTTP/2 protocol. Kusagadzikana kwakaita kuti zvikwanise kutanga null pointer dereference nekutumira chikumbiro chakanyatsogadzirwa uye kuita kuti maitiro acho aparadze. Kusagadzikana uku kunongowanikwawo mushanduro 2.4.49. Sekuchengetedza workaround, unogona kudzima rutsigiro rweHTTP/2 protocol.
Source: opennet.ru