Apache HTTP 2.4.52 yakagadzirisa 2 vulnerabilities uye akati wandei shanduko

Mazuva mashoma apfuura kuburitswa kweshanduro itsva yeApache HTTP 2.4.52 server yakaziviswa umo dzinenge 25 shanduko dzakaitwa uye nekuwedzera kururamiswa kwakaitwa ndeye 2 vulnerabilities.

Kune avo vasati vaziva nezveApache HTTP server, vanofanirwa kuziva kuti iyi inzvimbo yakavhurika, muchinjika-chikuva HTTP web server inoshandisa iyo HTTP / 1.1 protocol uye pfungwa yeiyo chaiyo saiti zvinoenderana neRFC 2616 standard.

Chii chitsva muApache HTTP 2.4.52?

Mune iyi vhezheni itsva yeseva tinogona kuwana izvozvo yakawedzera rutsigiro rwekuvaka neOpenSSL 3 raibhurari mu mod_sslPamusoro pezvo, kuonekwa kwakagadziridzwa muraibhurari yeOpenSSL mune autoconf scripts.

Chimwe chitsva chinomira pachena mune iyi vhezheni itsva iri mu mod_proxy ye tunneling protocol, zvinokwanisika kudzima redirection yeTCP kubatana hafu yakavharwa nekuisa "SetEnv proxy-nohalfclose" parameter.

En mod_proxy_connect uye mod_proxy, zvinorambidzwa kuchinja kodhi yemamiriro mushure mekutumira kune mutengi.

Ari mukati mod_dav inowedzera tsigiro yeCalDAV yekuwedzera, Izvo zvinofanirwa kutora zvese zvinyorwa uye zvivakwa zvichengedzo kana uchigadzira chivakwa. New dav_validate_root_ns (), dav_find_child_ns (), dav_find_next_ns (), dav_find_attr_ns () uye dav_find_attr () mabasa akawedzerwa, anogona kudanwa kubva kune mamwe ma module.

En mod_http2, shanduko dzekumashure dzinotungamira kune zvisirizvo maitiro dzakagadziriswa paunenge uchibata MaxRequestsPerChild uye MaxConnectionsPerChild zvipingamupinyi.

Izvo zvinomira pachena kuti kugona kweiyo mod_md module, inoshandiswa kuita otomatiki risiti nekuchengetedza zvitupa kuburikidza neACME protocol (Automatic Certificate Management Environment), yakawedzerwa:

Yakawedzera rutsigiro rwe ACME michina Yekunze Account Binding (EAB), iyo inogoneswa neMDExternalAccountBinding rairo. Iko kukosha kweEAB kunogona kugadzirwa kubva kune yekunze JSON faira kuitira kuti maparamita echokwadi asafumurwe mune main server configuration file.

Directive 'MDCertificateAuthority' inopa humbowo hwe chiratidzo mune url parameter http / https kana rimwe remazita akafanotsanangurwa ('LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' uye 'Buypass-Test').

Pane dzimwe shanduko dzakamira mushanduro itsva iyi:

  • Yakawedzerwa macheki ekuti maURI asina kuisirwa proxy ane http / https scheme, asi ayo akagadzirirwa proxy ane zita remugamuchiri.
  • Kutumira mhinduro dzenguva pfupi mushure mekugamuchira zvikumbiro nemusoro wekuti "Tarisira: 100-Ramba" inopihwa kuratidza mhedzisiro ye "100 Ramba" chinzvimbo pachinzvimbo chechimiro chechikumbiro.
  • Mpm_event inogadzirisa dambudziko rekumisa kusashanda kwevana maitiro mushure me spike mukurodha server.
  • Inotenderwa kutsanangura iyo MDContactEmail rairo mukati mechikamu .
  • Mabhugi akati wandei akagadziriswa, kusanganisira kudonha kwendangariro kunoitika kana kiyi yakavanzika isina kurodha.

Kana ari kusasimba kwakagadziriswa mushanduro itsva iyi zvakataurwa zvinotevera:

  • CVE 2021-44790: Buffer inofashukira mu mod_lua, zvikumbiro zvekuparadzanisa zvinoratidzwa, zvinosanganisira zvikamu zvakawanda (multipart). Kusagadzikana kunokanganisa zvigadziriso umo zvinyorwa zveLua zvinodaidzira r: parsebody () basa rekusiyanisa mutumbi wekukumbira uye kubvumira anorwisa kuti awane buffer kufashukira nekutumira chikumbiro chakagadzirwa. Chokwadi chekuvapo kwekubiridzira hachisati chaonekwa, asi pamwe dambudziko rinogona kutungamira kuti kodhi yako iitwe paserver.
  • SSRF kusagadzikana (Server Side Chikumbiro Forgery): mu mod_proxy, iyo inobvumira, mukugadzirisa ne "ProxyRequests pa" sarudzo, kuburikidza nechikumbiro kubva kune yakanyatsogadzirwa URI, kuendesa zvakare chikumbiro kune mumwe mutongi pane imwechete server iyo inogamuchira zvibatanidza kuburikidza ne socket Unix. domain. Dambudziko rinogonawo kushandiswa kukonzera kuparara nekugadzira mamiriro ekubvisa referensi kune null pointer. Dambudziko rinokanganisa httpd shanduro dzeApache kubvira 2.4.7.

Chekupedzisira, kana iwe uchida kuziva zvakawanda nezve iyi nyowani yakaburitswa vhezheni, unogona kutarisa iwo maficha mukati chinotevera chinongedzo.


Izvo zviri muchinyorwa zvinoomerera pamisimboti yedu ye tsika dzekunyora. Kuti utaure chikanganiso tinya pano.

Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa.

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako