Apache Tomcat h2cÇëÇó»ìÏýÎó²î£¨CVE-2021-25122£©

Ðû²¼Ê±¼ä 2021-03-02

0x00 Îó²î¸ÅÊö

CVE  ID

CVE-2021-25122

ʱ   ¼ä

2021-03-02

Àà   ÐÍ


µÈ   ¼¶

¸ßΣ

Ô¶³ÌʹÓÃ

ÊÇ

Ó°Ïì¹æÄ£


 

0x01 Îó²îÏêÇé

image.png

2021Äê03ÔÂ01ÈÕ£¬£¬£¬Apache¹Ù·½Ðû²¼Ç徲ͨ¸æ£¬£¬£¬ÐÞ¸´ÁËTomcatÖеÄÒ»¸ö h2cÇëÇó»ìÏýÎó²î£¨CVE-2021-25122£©¡£¡£¡£¡£¡£¡£¡£

µ±ÏìӦеÄh2cÅþÁ¬ÇëÇóʱ£¬£¬£¬Apache Tomcat¿ÉÒÔ½«ÇëÇó±êÍ·ºÍÊýÄ¿ÓÐÏÞµÄÇëÇóÖ÷Ìå´ÓÒ»¸öÇëÇó¸´ÖƵ½ÁíÒ»¸öÇëÇ󣬣¬£¬Õ⽫µ¼ÖÂÓû§AºÍÓû§B¶¼¿ÉÒÔ¿´µ½Óû§AµÄÇëÇóЧ¹û¡£¡£¡£¡£¡£¡£¡£ÏÖÔÚ¸ÃÎó²îÒѾ­ÐÞ¸´£¬£¬£¬´úÂëÈçÏ£º

image.png

 

Ó°Ïì¹æÄ£

Apache Tomcat 10.0.0-M1-10.0.0

Apache Tomcat 9.0.0.M1-9.0.41

Apache Tomcat 8.5.0-8.5.61

 

±ðµÄ£¬£¬£¬ÓÉÓÚApache Tomcat¶ÔCVE-2020-9484µÄÐÞ¸´²»ÍêÕû£¬£¬£¬µ¼ÖÂTomcatÈÔÈ»ÈÝÒ×Êܵ½Õë¶ÔCVE-2020-9484µÄ¹¥»÷£¨Îó²î×·×ÙΪCVE-2021-25329£¬£¬£¬µÍΣ£©¡£¡£¡£¡£¡£¡£¡£¸ÃÎó²î½«Ó°ÏìApache Tomcat°æ±¾10.0.0-M1-10.0.0¡¢9.0.0.M1-9.0.41¡¢8.5.0-8.5.61¡¢7.0.0-7.0.107£¬£¬£¬CVE-2020-9484µÄʹÓÃÌõ¼þ¼°»º½â²½·¥Í¬ÑùÊÊÓÃÓÚ´ËÎó²î¡£¡£¡£¡£¡£¡£¡£

 

0x02 ´¦Öóͷ£½¨Òé

Õë¶ÔCVE-2021-25122£¬£¬£¬½¨ÒéÉý¼¶ÖÁÒÔÏ°汾£º

Apache Tomcat 10.0.2»ò¸ü¸ß°æ±¾¡£¡£¡£¡£¡£¡£¡£

Apache Tomcat 9.0.43»ò¸ü¸ß°æ±¾¡£¡£¡£¡£¡£¡£¡£

Apache Tomcat 8.5.63»ò¸ü¸ß°æ±¾¡£¡£¡£¡£¡£¡£¡£

 

Õë¶ÔCVE-2021-25329£¬£¬£¬½¨ÒéÉý¼¶ÖÁÒÔÏ°汾£º

Apache Tomcat 10.0.2»ò¸ü¸ß°æ±¾¡£¡£¡£¡£¡£¡£¡£

Apache Tomcat 9.0.43»ò¸ü¸ß°æ±¾¡£¡£¡£¡£¡£¡£¡£

Apache Tomcat 8.5.63»ò¸ü¸ß°æ±¾¡£¡£¡£¡£¡£¡£¡£

Apache Tomcat 7.0.108»ò¸ü¸ß°æ±¾¡£¡£¡£¡£¡£¡£¡£

 

ÏÂÔØÁ´½Ó£º

https://tomcat.apache.org/download-10.cgi

 

0x03 ²Î¿¼Á´½Ó

https://tomcat.apache.org/security-10.html

http://mail-archives.apache.org/mod_mbox/www-announce/202103.mbox/%3Cb7626398-5e6d-1639-4e9e-e41b34af84de@apache.org%3E

http://mail-archives.apache.org/mod_mbox/www-announce/202103.mbox/%3C811bba77-e74e-9f9b-62ca-5253a09ba84f@apache.org%3E

https://github.com/apache/tomcat/commit/dd757c0a893e2e35f8bc1385d6967221ae8b9b9b#

 

0x04 ʱ¼äÏß

2021-03-01  ApacheÐû²¼Ç徲ͨ¸æ

2021-03-02  VSRCÐû²¼Ç徲ͨ¸æ

 

0x05 ¸½Â¼

 

CVSSÆÀ·Ö±ê×¼¹ÙÍø£ºhttp://www.first.org/cvss/

image.png