Apache Traffic Server¶à¸öÄþ¾²Â©¶´

Ðû²¼Ê±¼ä 2021-06-30

0x00 ©¶´¸ÅÊö

²úÎïÃû³Æ

CVE ID

ÃèÊö

©¶´Æ·¼¶

Ô¶³ÌÀûÓÃ

Apache Traffic Server

CVE-2021-27577

»º´æÖж¾

ÖÐΣ

ÊÇ

CVE-2021-32565

HTTPÇëÇó×ß˽

ÖÐΣ

CVE-2021-32566

Dos

¸ßΣ

CVE-2021-32567

Ƶ·±¶ÁÈ¡

ÖÐΣ

CVE-2021-35474

¶ÑÕ»»º³åÇøÒç³ö

¸ßΣ

 

0x01 ©¶´ÏêÇé

image.png

Apache Traffic Server? £¨ATS£©Èí¼þÊÇÒ»ÖÖ¿ìËÙ¡¢¿ÉÀ©Õ¹µÄHTTP/1.1 ºÍ HTTP/2 ¼æÈݵĿªÔ´Web»º´æÊðÀí·þÎñÆ÷£¬ÏÖΪApache Èí¼þ»ù½ð»áµÄ¶¥¼¶ÏîÄ¿¡£

½üÈÕ£¬Apache Traffic Server±»Åû¶´æÔÚ¶à¸öÄþ¾²Â©¶´£¬Õ⽫µ¼ÖÂATSÈÝÒ×Êܵ½ÖÖÖÖ HTTP/1.x ºÍ HTTP/2 ¹¥»÷¡£

±¾´ÎÅû¶µÄ©¶´°üÂÞ£º

CVE-2021-27577£ºApache Traffic ServerµÄurlƬ¶Î´¦ÖôíÎóµ¼Ö»º´æÖж¾£¨ÖÐΣ£©

CVE-2021-32565£ºÍ¨¹ý½ç˵Content-Length×Ö¶ÎʵÏÖHTTPÇëÇó×ß˽£¨ÖÐΣ£©

CVE-2021-32566£ºHTTP/2 Ö¡µÄÌض¨ÐòÁпÉÄܵ¼Ö ATS Í߽⣨¸ßΣ£©

CVE-2021-32567£º¶à´Î¶ÁÈ¡ HTTP/2 Ö¡£¨ÖÐΣ£©

CVE-2021-35474£ºcachekey²å¼þÖеĶ¯Ì¬¶ÑÕ»»º³åÇøÒç³ö£¨¸ßΣ£©

 

Ó°Ï췶Χ

ATS 7.0.0 - 7.1.12

ATS 8.0.0 - 8.1.1

ATS 9.0.0 - 9.0.1

 

0x02 ´¦Öý¨Òé

Ä¿Ç°ÕâЩ©¶´ÒѾ­ÐÞ¸´£¬½¨ÒéÉý¼¶ÖÁÒÔÏ°汾£º

7.x Óû§£ºÉý¼¶µ½ 8.1.2 »ò 9.0.2 »ò¸ü¸ß°æ±¾

8.x Óû§£ºÉý¼¶µ½ 8.1.2 »ò¸ü¸ß°æ±¾

9.x Óû§£ºÉý¼¶µ½ 9.0.2 »ò¸ü¸ß°æ±¾

ÏÂÔØÁ´½Ó£º

https://trafficserver.apache.org/downloads

 

0x03 ²Î¿¼Á´½Ó

https://lists.apache.org/thread.html/ra1a41ff92a70d25bf576d7da2590575e8ff430393a3f4a0c34de4277%40%3Cannounce.trafficserver.apache.org%3E

https://trafficserver.apache.org/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32565

 

0x04 ʱ¼äÏß

2021-06-24  ©¶´Åû¶

2021-06-30  VSRCÐû²¼Äþ¾²Í¨¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö³ß¶È¹ÙÍø£ºhttp://www.first.org/cvss/

image.png