Apache Traffic Server¶à¸ö°²È«·ì϶

°ä²¼¹¦·ò 2021-06-30

0x00 ·ì϶¸ÅÊö

²úÆ·Ãû³Æ

CVE ID

ÃèÊö

·ì϶µÈ¼¶

Ô¶³ÌÀûÓÃ

Apache Traffic Server

CVE-2021-27577

»º´æÖж¾

ÖÐΣ

ÊÇ

CVE-2021-32565

HTTPÒªÇó×ß˽

ÖÐΣ

CVE-2021-32566

Dos

¸ßΣ

CVE-2021-32567

ƵÈÔ¶ÁÈ¡

ÖÐΣ

CVE-2021-35474

²Ö¿â»º³åÇøÒç³ö

¸ßΣ

 

0x01 ·ì϶ÏêÇé

image.png

Apache Traffic Server? £¨ATS£©Èí¼þÊÇÒ»ÖÖ¼±¾ç¡¢¿ÉÀ©´óµÄHTTP/1.1 ºÍ HTTP/2 ¼æÈݵĿªÔ´Web»º´æ´úÀí·þÎñÆ÷ £¬ÏÖΪApache Èí¼þ»ù½ð»áµÄ¶¥¼¶ÏîÄ¿¡£

½üÈÕ £¬Apache Traffic Server±»Åû¶´æÔÚ¶à¸ö°²È«·ì϶ £¬Õ⽫µ¼ÖÂATSÈÝÒ×Êܵ½¸÷Àà HTTP/1.x ºÍ HTTP/2 ¹¥»÷¡£

±¾´ÎÅû¶µÄ·ì϶Ô̺¬£º

CVE-2021-27577£ºApache Traffic ServerµÄurlƬ¶Î´¦ÖÃÃýÎóµ¼Ö»º´æÖж¾£¨ÖÐΣ£©

CVE-2021-32565£ºÍ¨¹ý½ç˵Content-Length×Ö¶ÎʵÏÖHTTPÒªÇó×ß˽£¨ÖÐΣ£©

CVE-2021-32566£ºHTTP/2 Ö¡µÄÌض¨ÐòÁпÉÄܵ¼Ö ATS ±ÀÀ££¨¸ßΣ£©

CVE-2021-32567£ºÂŴζÁÈ¡ HTTP/2 Ö¡£¨ÖÐΣ£©

CVE-2021-35474£ºcachekey²å¼þÖеĶ¯Ì¬²Ö¿â»º³åÇøÒç³ö£¨¸ßΣ£©

 

Ó°ÏìÁìÓò

ATS 7.0.0 - 7.1.12

ATS 8.0.0 - 8.1.1

ATS 9.0.0 - 9.0.1

 

0x02 ´ëÖý¨Òé

Ä¿Ç°ÕâЩ·ì϶ÒѾ­½¨¸´ £¬½¨ÒéÉý¼¶ÖÁÒÔÏ°汾£º

7.x Óû§£ºÉý¼¶µ½ 8.1.2 »ò 9.0.2 »ò¸ü¸ß°æ±¾

8.x Óû§£ºÉý¼¶µ½ 8.1.2 »ò¸ü¸ß°æ±¾

9.x Óû§£ºÉý¼¶µ½ 9.0.2 »ò¸ü¸ß°æ±¾

ÏÂÔØÁ´½Ó£º

https://trafficserver.apache.org/downloads

 

0x03 ²Î¿¼Á´½Ó

https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cannounce.trafficserver.apache.org%3E

https://trafficserver.apache.org/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32565

 

0x04 ¹¦·òÏß

2021-06-24  ·ì϶Åû¶

2021-06-30  VSRC°ä²¼°²È«¹«¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

image.png