Ghostcat, yanayin rauni a cikin Tomcat wanda zai iya maye gurbin lambar

fatalwa

Masu bincike daga Chaitin Tech, China sun saki bayani game da sabon binciken, kamar yadda suka gano yanayin rauni a cikin shahararren akwatin sabis (Java Servlet, Shafin JavaServer, Harshen Jawabin Java da Java WebSocket) Apache tomcat (an riga an lasafta shi azaman CVE-2020-1938).

Wannan yanayin rauni an sanya musu lambar lamba "Ghostcat" da mawuyacin matakin tsanani (9.8 CVSS). Matsalar ba da izini a cikin daidaitaccen tsari don aika buƙata ta hanyar tashar jirgin ruwa 8009 don karanta abun cikin kowane fayil a cikin kundin adireshin yanar gizo, ciki har da lambobin tushen aikace-aikace da fayilolin sanyi.

Raunin yanayin yana ba da damar shigo da wasu fayiloli zuwa lambar aikace-aikacen, wanda ke ba da izini shirya lambar aiwatarwa akan sabar idan aikace-aikacen ya bada damar shigar da fayiloli zuwa sabar.

Misali, ko aikace-aikacen gidan yanar gizo yana bawa masu amfani damar loda fayiloli, mai kawo hari na iya caji na farko fayil mai dauke da lambar rubutun JSP sharri akan uwar garke (fayel din da aka loda kansa na iya zama kowane nau'in fayil, kamar hotuna, fayilolin rubutu bayyanannu, da dai sauransu) sannan kuma hada da fayil din da aka loda ta hanyar amfani da yanayin rauni daga Ghostcat, wanda a ƙarshe zai iya haifar da aiwatar da lambar m.

An kuma ambata cewa ana iya yin hari idan zai yiwu a aika da buƙata zuwa tashar sadarwar tare da direban AJP. Dangane da bayanan farko, cibiyar sadarwar da aka samo fiye da runduna miliyan 1.2 masu karɓar buƙatun ta amfani da yarjejeniyar AJP.

Rashin lafiyar ya kasance a cikin yarjejeniyar AJP kuma baya haifar da kuskuren aiwatarwa.

Baya ga karɓar haɗin HTTP (tashar jiragen ruwa 8080) a cikin Apache Tomcat, ta tsohuwa yana yiwuwa a sami dama zuwa aikace-aikacen yanar gizo ta amfani da yarjejeniyar AJP ,

AJP yana ba da daidaitaccen aiki don samun damar fayiloli akan sabar, wanda za'a iya amfani dashi, gami da karɓar fayilolin da ba za a iya bayyana su ba.

An fahimci cewa damar zuwa AJP yana buɗe ne kawai ga amintattun bayiamma a gaskiya, a cikin tsoho sanyi Tomcat, an ƙaddamar da direba a kan duk hanyoyin sadarwar yanar gizo kuma an karɓi buƙatun ba tare da tabbatarwa ba.

Samun damar yana yiwuwa ga kowane fayil a cikin aikace-aikacen yanar gizon, gami da abubuwan da ke cikin WEB-INF, META-INF, da kowane kundin adireshi da aka dawo ta hanyar kiran ServletContext.getResourceAsStream (). Hakanan AJP yana baka damar amfani da kowane fayil a cikin kundayen adireshi da ke akwai don aikace-aikacen yanar gizo azaman rubutun JSP.

Matsalar ta bayyana tun lokacin da aka saki reshen Tomcat 6.x shekaru 13 da suka gabata. Baya ga Tomcat kansa, matsalar kuma ta shafi kayayyakin da suke amfani da ita, kamar su Red Hat JBoss Web Server (JWS), JBoss Enterprise Application Application (EAP), da kuma aikace-aikacen gidan yanar gizo masu zaman kansu waɗanda ke amfani da Boot na bazara.

Har ila yau an sami irin wannan rauni (CVE-2020-1745) akan sabar yanar gizo ta Undertow anyi amfani dashi a cikin sabar aikace-aikacen Wildfly. A halin yanzu, kungiyoyi daban-daban sun shirya fiye da dozin misalan aiki na amfani.

Apache Tomcat ya fito da sigogi 9.0.31, 8.5.51 da 7.0.100 bisa hukuma don gyara wannan yanayin rauni. Don gyara wannan yanayin rauni daidai, dole ne ku fara sanin ko ana amfani da sabis ɗin Mai haɗin Tomcat AJP a cikin yanayin sabarku:

  • Idan ba a yi amfani da gungu ko wakili na baya ba, ana iya tabbatar da cewa ba a amfani da AJP.
  •  Idan ba haka ba, kuna buƙatar bincika idan gungu ko sabar baya tana sadarwa tare da sabis ɗin Tomcat AJP Connect

An kuma ambata cewa yanzu ana samun sabuntawa a cikin rarraba Linux daban-daban kamar: Debian, Ubuntu, RHEL, Fedora, SUSE.

A matsayin aiki, zaka iya dakatar da sabis na Mai haɗin Tomcat AJP (ƙulla soket ɗin sauraro zuwa localhost ko yin sharhi game da layin tare da tashar Connector = »8009 ″), idan ba a buƙata ba, ko saita ingantacciyar hanyar.

Idan kana son karin bayani game da shi zaka iya tuntuba mahada mai zuwa. 


Kasance na farko don yin sharhi

Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.