VaRnish Cache是一个高性能的HTTP加速器。它将网页存储在内存中,因此网络服务器不必一遍又一遍地创建相同的网页,从而显着提高网站速度。
8月2日,RedHat发布了安全更新,修复了红帽VaRnish HTTP加速器中发现的请求走私攻击漏洞(HTTP请求走私是一种干扰网站处理HTTP请求序列方式的技术,使攻击者可以绕过安全控制,未经授权访问敏感数据并直接危害其他应用程序用户)。以下是漏洞详情:
漏洞详情
来源:https://acceSS.Redhat.coM/eRRata/RHSA-2021:2988
CVE-2021-36740 CVSS评分:8.1 严重程度:高
在VaRnish中发现了一个漏洞,启用HTTP/2的VaRnish缓存允许通过POST请求的大型Content-Length标头进行请求走私和VCL授权绕过。此漏洞的最大威胁是机密性、完整性和系统可用性。
受影响产品和版本
Red Hat EnteRpRise linux foR x86_64 8 x86_64
Red Hat EnteRpRise linux foR x86_64 – Extended update support 8.4 x86_64
Red Hat EnteRpRise linux foR x86_64 – Extended update support 8.2 x86_64
Red Hat EnteRpRise linux foR x86_64 – Extended update support 8.1 x86_64
Red Hat EnteRpRise linux SeRveR – AUS 8.4 x86_64
Red Hat EnteRpRise linux SeRveR – AUS 8.2 x86_64
Red Hat EnteRpRise linux foR IBM z systems 8 s390x
Red Hat EnteRpRise linux foR IBM z systems – Extended update support 8.4 s390x
Red Hat EnteRpRise linux foR IBM z systems – Extended update support 8.2 s390x
Red Hat EnteRpRise linux foR IBM z systems – Extended update support 8.1 s390x
Red Hat EnteRpRise linux foR PoweR, lITtle endian 8 pPC64le
Red Hat EnteRpRise linux foR PoweR, lITtle endian – Extended update support 8.4 pPC64le
Red Hat EnteRpRise linux foR PoweR, lITtle endian – Extended update support 8.2 pPC64le
Red Hat EnteRpRise linux foR PoweR, lITtle endian – Extended update support 8.1 pPC64le
Red Hat EnteRpRise linux SeRveR – TUS 8.4 x86_64
Red Hat EnteRpRise linux SeRveR – TUS 8.2 x86_64
Red Hat EnteRpRise linux foR ARM 64 8 aaRch64
Red Hat EnteRpRise linux foR ARM 64 – Extended update support 8.4 aaRch64
Red Hat EnteRpRise linux foR ARM 64 – Extended update support 8.2 aaRch64
Red Hat EnteRpRise linux foR ARM 64 – Extended update support 8.1 aaRch64
Red Hat EnteRpRise linux SeRveR (foR IBM PoweR LE) – update SeRvices foR SAP solutions 8.4 pPC64le
Red Hat EnteRpRise linux SeRveR (foR IBM PoweR LE) – update SeRvices foR SAP solutions 8.2 pPC64le
Red Hat EnteRpRise linux SeRveR (foR IBM PoweR LE) – update SeRvices foR SAP solutions 8.1 pPC64le
Red Hat EnteRpRise linux SeRveR – update SeRvices foR SAP solutions 8.4 x86_64
Red Hat EnteRpRise linux SeRveR – update SeRvices foR SAP solutions 8.2 x86_64
Red Hat EnteRpRise linux SeRveR – update SeRvices foR SAP solutions 8.1 x86_64
解决方案
VaRnish:6 模块的更新现在可用于红帽企业 linux 8、红帽企业 linux 8.1 扩展更新支持和红帽企业 linux 8.2 扩展更新支持。
有关如何应用此更新(包括本公告中描述的更改)的详细信息,请参阅:
https://acceSS.Redhat.coM/articles/11258
查看更多漏洞信息 以及升级请访问官网:
https://acceSS.Redhat.coM/security/security-updates/#/security-advisoRies
