Isibuyekezo esiphuthumayo seseva ye-Apache 2.4.50 senziwe, esisusa ubungozi bezinsuku ezi-0 (CVE-2021-41773), obuvele buxhashazwe ngokuqhubekayo, okuvumela ukufinyelela kumafayela avela ezindaweni ezingaphandle kohlu lwezimpande zesayithi. Ngokusebenzisa ubungozi, kuyenzeka ukulanda amafayela esistimu okungahleliwe kanye nemibhalo ewumthombo wemibhalo yewebhu, efundeka umsebenzisi iseva ye-http esebenza ngaphansi kwayo. Abathuthukisi baziswe ngenkinga ngoSepthemba 17, kodwa bakwazile ukukhipha isibuyekezo namuhla kuphela, ngemuva kokuthi amacala okuba sengozini okusetshenziselwa ukuhlasela amawebhusayithi aqoshwa kunethiwekhi.
Ukunciphisa ubungozi bokuba sengozini ukuthi inkinga ivela kuphela enguqulweni esanda kukhishwa engu-2.4.49 futhi ayithinti konke ukukhishwa kwangaphambilini. Amagatsha azinzile okusabalalisa kweseva elondolozayo akakasebenzisi ukukhishwa kwe-2.4.49 (Debian, RHEL, Ubuntu, SUSE), kodwa inkinga ithinte ukusabalalisa okubuyekeziwe okuqhubekayo okufana ne-Fedora, i-Arch Linux ne-Gentoo, kanye namachweba we-FreeBSD.
Ukuba sengozini kungenxa yesiphazamisi esethulwe ngesikhathi sokubhalwa kabusha kwekhodi yezindlela ezijwayelekile kuma-URIs, ngenxa yokuthi uhlamvu lwechashazi olubhalwe ngekhodi elithi "%2e" endleleni lungeke lube lujwayelekile uma lwandulelwa elinye ichashazi. Ngakho-ke, kube nokwenzeka ukufaka endaweni yezinhlamvu eziluhlaza “../” endleleni ewumphumela ngokucacisa ukulandelana “.%2e/” esicelweni. Isibonelo, isicelo esifana nokuthi “https://example.com/cgi-bin/.%2e/.%2e/.%2e/.%2e/etc/passwd” noma “https://example.com/cgi -bin /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts" ukuvumele ukuthi uthole okuqukethwe kwefayela "/etc/passwd".
Inkinga ayenzeki uma ukufinyelela ezinhlwini zemibhalo kwenqatshwa ngokusobala kusetshenziswa isilungiselelo esithi "funa konke kunqatshelwe". Isibonelo, ngokuvikela okuncane ungacacisa efayeleni lokumisa: zidinga zonke zinqatshelwe
I-Apache httpd 2.4.50 iphinda ilungise okunye ubungozi (CVE-2021-41524) obuthinta imojuli esebenzisa iphrothokholi ye-HTTP/2. Ukuba sengozini kwenze kwaba nokwenzeka ukuqalisa ukuhoxiswa kwesikhombi esingenalutho ngokuthumela isicelo esiklanywe ngokukhethekile futhi kubangele ukuthi inqubo iphahlazeke. Lokhu kuba sengozini kuvela kuphela enguqulweni engu-2.4.49. Njengendlela yokuphepha, ungakhubaza usekelo lwephrothokholi ye-HTTP/2.
Source: opennet.ru