Cusboonaysiinta degdegga ah ee server-ka Apache 2.4.50 ayaa la sameeyay, taas oo meesha ka saaraysa dayac-tirka 0-maalin ee horeba si firfircoon looga faa'iidaysanayay (CVE-2021-41773), kaas oo u oggolaanaya gelitaanka faylasha meelaha ka baxsan tusaha xididka ee goobta. Isticmaalka nuglaanta, waxaa suurtagal ah in la soo dejiyo faylalka nidaamka aan sabab lahayn iyo qoraallada isha ee qoraallada webka, oo uu akhriyi karo isticmaalaha uu ka hoos shaqeynayo server-ka http. Horumarinta ayaa lagu wargeliyay dhibaatada Sebtembar 17, laakiin waxay awoodeen inay sii daayaan cusboonaysiinta maanta oo keliya, ka dib markii kiisaska u nuglaanshaha loo isticmaalo in lagu weeraro mareegaha laga duubay shabakadda.
Yaraynta khatarta nuglaanshaha waa in dhibaatadu ay ka muuqato kaliya nooca dhawaan la sii daayay ee 2.4.49 oo aan saameyn ku yeelan dhammaan sii deyntii hore. Laamaha xasilloon ee qaybinta konserfatifka wali ma aysan isticmaalin 2.4.49 sii deynta (Debian, RHEL, Ubuntu, SUSE), laakiin dhibaatadu waxay saamaysay qaybinta joogtada ah ee la cusbooneysiiyay sida Fedora, Arch Linux iyo Gentoo, iyo sidoo kale dekedaha FreeBSD.
Nuglaanta waxaa sabab u ah bug la soo bandhigay inta lagu guda jiro dib u qorida koodka si caadi loogu dhigo wadooyinka URI-yada, taas oo ay ugu wacan tahay "%2e" calaamad dhibco ah oo ku jirta dariiqa aan la caadiynayn haddii ay ka horayso dhibco kale. Sidaa darteed, waxaa suurtagal ahayd in lagu beddelo xarfaha "../" cayriin ee waddada natiijada iyadoo lagu qeexayo taxanaha ".%2e/" ee codsiga. Tusaale ahaan, codsi sida "https://example.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd" ama "https://example.com/cgi -bin /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts" ayaa kuu ogolaatay inaad hesho waxa ku jira faylka "/etc/passwd".
Dhibaatadu ma dhacdo haddii gelitaanka hagayaasha si cad loo diido iyada oo la adeegsanayo goobta "waxay u baahan tahay dhammaan diidmada". Tusaale ahaan, ilaalinta qayb ahaan waxaad ku qeexi kartaa faylka qaabeynta: u baahan dhammaan la diiday
Apache httpd 2.4.50 sidoo kale waxay hagaajisaa nuglaanta kale (CVE-2021-41524) oo saameeya cutubka fulinaya borotokoolka HTTP/2. Nuglaanta ayaa suurta gelisay in la bilaabo ka-hortagga tilmaame-beeleed iyadoo la dirayo codsi si gaar ah loo diyaariyay oo sababay in hab-socodku burburo. Nuglaantani waxay sidoo kale ka muuqataa kaliya nooca 2.4.49. Hawsha amniga ahaan, waxaad joojin kartaa taageerada borotokoolka HTTP/2.
Source: opennet.ru