Uhlaziyo olungxamisekileyo kwi-Apache 2.4.50 iseva ye-http yenziwe, esusa ubungozi obusele buxhaphake ngokusebenzayo kwi-0-day (CVE-2021-41773), evumela ukufikelela kwiifayile ezivela kwiindawo ezingaphandle kweengcambu zengcambu yesayithi. Ukusebenzisa ubuthathaka, kuyenzeka ukukhuphela iifayile zesistim esitenxileyo kunye nemibhalo eyimvelaphi yezikripthi zewebhu, ezifundeka ngumsebenzisi apho umncedisi we-http osebenza phantsi kwakhe. Abaphuhlisi baziswe ngengxaki ngoSeptemba 17, kodwa bakwazi ukukhulula uhlaziyo kuphela namhlanje, emva kokuba iimeko zobuthathaka ezisetyenziselwa ukuhlasela iiwebhusayithi zirekhodwa kwinethiwekhi.
Ukunciphisa ingozi yokuba sesichengeni kukuba ingxaki ibonakala kuphela kwinguqulo esanda kukhutshwa 2.4.49 kwaye ayichaphazeli konke ukukhutshwa kwangaphambili. Amasebe azinzileyo onikezelo lweseva egcinayo ayikasebenzisi ukukhutshwa kwe-2.4.49 (i-Debian, i-RHEL, Ubuntu, i-SUSE), kodwa ingxaki ichaphazele ngokuqhubekayo ukuhanjiswa okuhlaziyiweyo okufana ne-Fedora, i-Arch Linux kunye neGentoo, kunye namachweba e-FreeBSD.
Ukuba sesichengeni kungenxa yegciwane elaziswa ngexesha lokuphinda kubhalwe ikhowudi yokwenza iindlela zesiqhelo kwii-URIs, ngenxa apho "% 2e" unobumba wechaphaza ofakwe ngekhowudi kwindlela ebengayi kuba yesiqhelo ukuba ibilandelwa lelinye ichaphaza. Ngoko ke, bekunokwenzeka ukufaka endaweni yamagama akrwada “../” kwindlela enesiphumo ngokuchaza ulandelelwano “.%2e/” kwisicelo. Umzekelo, isicelo esinje “https://example.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd” okanye “https://example.com/cgi -bin /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts" ikuvumela ukuba ufumane imixholo yefayile "/etc/passwd".
Ingxaki ayenzeki ukuba ufikelelo kubalawuli kwaliwe ngokucacileyo kusetyenziswa "funa zonke zaliwe" isicwangciso. Umzekelo, ukhuseleko olungaphelelanga ungachaza kwifayile yoqwalaselo: zifuna zonke zaliwe
I-Apache httpd 2.4.50 iphinda ilungise enye ingozi (CVE-2021-41524) echaphazela imodyuli yokuphumeza i-HTTP/2 protocol. Ukuba semngciphekweni kwenza ukuba kuqaliswe ukurhoxiswa kwesalathi esingenanto ngokuthumela isicelo esenziwe ngokukodwa kwaye kubangele inkqubo ukuba ingqubeke. Oku buthathaka kubonakala kuphela kwinguqulo 2.4.49. Njengomsebenzi wokhuseleko, unokukhubaza inkxaso ye-HTTP/2 protocol.
umthombo: opennet.ru