Ukukhishwa kweseva ye-Apache HTTP engu-2.4.56 kushicilelwe, eyethula izinguquko eziyisi-6 futhi isusa ubuthakathaka obu-2 obuhambisana nokwenzeka kokuhlasela kwe-“HTTP Request Smuggling” kumasistimu okuphela-emuva-emuva, okuvumela ukuthi ungene ngaphakathi. okuqukethwe kwezicelo zabanye abasebenzisi ezicutshungulwe kuchungechunge olufanayo phakathi kwe-frontend ne-backend. Ukuhlasela kungasetshenziswa ukweqa izinhlelo zokukhawulela ukufinyelela noma ukufaka ikhodi ye-JavaScript enonya kuseshini ngewebhusayithi esemthethweni.
Ukuba sengozini kokuqala (CVE-2023-27522) kuthinta imodyuli ye-mod_proxy_uwsgi futhi kuvumela impendulo ukuthi ihlukaniswe izingxenye ezimbili ohlangothini lommeleli ngokufaka esikhundleni sezinhlamvu ezikhethekile kunhlokweni ye-HTTP ebuyiselwe yi-backend.
Ukuba sengozini kwesibili (CVE-2023-25690) kukhona ku-mod_proxy futhi kwenzeka uma kusetshenziswa imithetho ethile yokubhala kabusha yesicelo kusetshenziswa umyalelo we-RewriteRule ohlinzekwa yimojuli ye-mod_rewrite noma amaphethini athile kumyalelo we-ProxyPassMatch. Ukuba sengozini kungase kuholele esicelweni ngommeleli wezinsiza zangaphakathi ezingavunyelwe ukufinyelelwa ngommeleli, noma ekufakeni ushevu kokuqukethwe kwenqolobane. Ukuze ubungozi bubonakale, kuyadingeka ukuthi imithetho yokubhala kabusha isicelo isebenzise idatha esuka ku-URL, ebese ithathelwa indawo esicelweni esithunyelwa ngokuqhubekayo. Isibonelo: RewriteEngine on RewriteRule “^/here/(.*)” » http://example.com:8080/elsewhere?$1″ http://example.com:8080/elsewhere ; [P] I-ProxyPassReverse /here/ http://example.com:8080/ http://example.com:8080/
Phakathi kwezinguquko ezingezona ezokuvikela:
- Ifulegi elithi “-T” lengezwe kunsizakalo ye-rotatelogs, evumela, lapho uzungezisa amalogi, ukunqamula amafayela okungena alandelayo ngaphandle kokunqamula ifayela lokungena lokuqala.
- I-mod_ldap ivumela amanani anegethivu kusiqondiso se-LDAPConnectionPoolTTL ukuze alungiselele ukusetshenziswa kabusha kwanoma yikuphi ukuxhumana okudala.
- Imojula ye-mod_md, esetshenziselwa ukwenza ngokuzenzakalelayo ukwamukela nokugcinwa kwezitifiketi kusetshenziswa iphrothokholi ye-ACME (Automatic Certificate Management Environment), lapho ihlanganiswa ne-libressl 3.5.0+, ihlanganisa ukusekelwa kohlelo lwesiginesha yedijithali ye-ED25519 nokubalwa kolwazi lwelogi yesitifiketi somphakathi (CT , Isitifiketi Sokungafihli lutho). Umyalelo we-MDChallengeDns01 uvumela incazelo yezilungiselelo zezizinda ngazinye.
- I-mod_proxy_uwsgi iqinise ukuhlola nokwahlukaniswa kwezimpendulo ezivela kuma-backend e-HTTP.
Source: opennet.ru