【Apache】HTTPD 2.4.37 + OpenSSL 1.1.1 企业级安全配置(含TLS修复)

我为什么要写这一篇稿子?

为了避免更多的运维、开发者没能实现企业的信息安全,我将共享出我个人的HTTPD的安全修复(2.2和2.4差不太多就看2.4就好)  

起因:我为某M工作,但因某M和testin合作,结果他们跑个脚本在安全上检测到

SlowHTTPDenialofServiceAttack(解决方案是reqtimeout_module,下面我就不写了)

不安全的http
poodle
sweet32
中间件漏洞:
响应包版本泄露

【顺便一提,这些问题我早知道了,他们的修复建议并没什么用,依然是CV大法】

 

首先我们来看看2.2有哪些风险

Fixed in Apache httpd 2.2.23 low: XSS in mod_negotiation when untrusted uploads are supported (CVE-2012-2687) low: insecure LD_LIBRARY_PATH handling (CVE-2012-0883) Fixed in Apache httpd 2.2.24 low: XSS due to unescaped hostnames (CVE-2012-3499) --moderate: XSS in mod_proxy_balancer (CVE-2012-4558) Fixed in Apache httpd 2.2.25 low: mod_rewrite log escape filtering (CVE-2013-1862) --moderate: mod_dav crash (CVE-2013-1896) Fixed in Apache httpd 2.2.27 low: mod_log_config crash (CVE-2014-0098) --moderate: mod_dav crash (CVE-2013-6438) Fixed in Apache httpd 2.2.29 important: mod_cgid denial of service (CVE-2014-0231) low: HTTP Trailers processing bypass (CVE-2013-5704) --moderate: mod_deflate denial of service (CVE-2014-0118) --moderate: mod_status buffer overflow (CVE-2014-0226) Fixed in Apache httpd 2.2.31 low: HTTP request smuggling attack against chunked request parser (CVE-2015-3183) Fixed in Apache httpd 2.2.32 important: Apache HTTP Request Parsing Whitespace Defects (CVE-2016-8743) --moderate: mod_userdir CRLF injection (CVE-2016-4975) n/a: HTTP_PROXY environment variable "httpoxy" mitigation (CVE-2016-5387) Fixed in Apache httpd 2.2.34 important: Uninitialized memory reflection in mod_auth_digest (CVE-2017-9788) important: ap_get_basic_auth_pw() Authentication Bypass (CVE-2017-3167) important: mod_ssl Null Pointer Dereference (CVE-2017-3169) important: ap_find_token() Buffer Overread (CVE-2017-7668) important: mod_mime Buffer Overread (CVE-2017-7679) Not fixed in Apache httpd 2.2 *apache httpd 2.2已停止更新 其中个别漏洞是可以造成源码泄露的。 最新版本: apache ver.2.4.37 openssl ver.1.1.1

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/zygpws.html