Vatsvagiri veChaitin Tech, China yakaburitswa ruzivo nezve chitsva kuwanikwa, sezvavanenge vaona kutambura mune yakakurumbira servlet mudziyo (Java Servlet, JavaServer Mapeji, Java Ruzivo Mutauro uye Java WebSocket) Apache tomcat (yatove kunyorwa seCVE-2020-1938).
Uku kunetseka ivo vakapihwa kodhi zita "Ghostcat" uye danho rakakomba rekuomarara (9.8 CVSS). Dambudziko inobvumira mukumisikidza kwekutumira kutumira chikumbiro kuburikidza netiweki chiteshi 8009 kuverenga zvirimo mune chero faira mune webhu dhairekitori, inosanganisira application source kodhi uye mafaira ekugadzirisa.
Iyo kushushikana zvakare inobvumidza kuendesa mamwe mafaera mukodhi yekushandisa, iyo inobvumira ronga kuitisa kodhi pane server kana iyo application ichibvumira mafaera kuti aiswe paserver.
Semuyenzaniso, kunyangwe iyo webhusaiti application inobvumidza vashandisi kuisa mafaera, anorwisa anogona kubhadharisa kutanga faira rine JSP script kodhi yakaipa paserver (iyo yakaiswa faira pachayo inogona kunge iri chero faira, senge mifananidzo, akajeka mavara mafaera, nezvimwewo) uyezve wobva waisa iyo yakaiswa faira nekushandisa zvisizvo kubva kuGhostcat, iyo inogona kupedzisira yaunza kure kodhi kuitiswa.
Izvo zvinotaurwa zvakare kuti kurwiswa kunogona kuitwa kana zvichikwanisika kutumira chikumbiro kunetiweki chiteshi neAJP mutyairi. Zvinoenderana neyekutanga data, network yakawanikwa vanopfuura mamirioni 1.2 mauto anotambira zvikumbiro vachishandisa iyo AJP protocol.
Iyo kusagadzikana kunowanikwa mune AJP protocol uye haina kukonzerwa nekanganiso yekushandisa.
Pamusoro pekubvuma kubatana kweHTTP (chiteshi 8080) muApache Tomcat, nekumisikidza zvinokwanisika kuwana kune webhu kunyorera uchishandisa iyo AJP protocol (Apache Jserv Protocol, chiteshi 8009), inova analoginari yeHTTP yakagadzirirwa kuita kwakakwirira, inowanzo shandiswa pakugadzira masumbu kubva kumaseva eTomcat kana kukurumidza kudyidzana naTomcat pane proxy inodzosera kumashure kana mutoro balancer.
AJP inopa yakajairwa basa rekuwana mafaera pane server, iyo inogona kushandiswa, kusanganisira kugamuchirwa kwemafaira ayo asiri pasi pekuziviswa.
Izvo zvinonzwisiswa kuti kuwana kune AJP yakavhurika chete kune vashandi vakavimbikaasi zvirizvo, mukumisikidza Tomcat kumisikidza, mutyairi akavhurwa pane ese network maumbirwo uye zvikumbiro zvakagamuchirwa pasina chokwadi.
Kuwana kunogoneka kune chero faira mune webhu kunyorera, kusanganisira zvirimo muWEB-INF, META-INF, uye chero dhairekitori rakadzoserwa kuburikidza neServletContext.getResourceAsStream () kufona. AJP zvakare inobvumidza iwe kushandisa chero faira mune madhairekitori anowanikwa kune webhu kunyorera seJSP script.
Dambudziko rave pachena kubvira davi reTomcat 6.x rakaburitswa makore gumi nematatu apfuura. Mukuwedzera kuna Tomcat pachake, dambudziko rinokanganisawo zvigadzirwa zvinoishandisa, senge Red Hat JBoss Web Server (JWS), JBoss Enterprise Chikumbiro Platform (EAP), pamwe neakazvimirira webhu zvinoshandiswa zvinoshandisa Spring Boot.
Uyewo njodzi yakafanana yakawanikwa (CVE-2020-1745) pane iyo Undertow web server inoshandiswa muWildfly server server. Parizvino, akasiyana mapoka akagadzirira anopfuura gumi nemaviri mienzaniso yekushandisa yezviitiko.
Apache Tomcat akaburitsa zviri pamutemo vhezheni 9.0.31, 8.5.51 uye 7.0.100 kugadzirisa kusagadzikana uku. Kugadzirisa kusagadzikana uku nenzira kwayo, unofanira kutanga waona kana iyo Tomcat AJP Connector sevhisi inoshandiswa mune yako server nharaunda.
- Kana cluster kana reverse proxy isiri kushandiswa, inogona kunyatso tariswa kuti AJP haina kushandiswa.
- Kana zvisiri, iwe unofanirwa kutsvaga kana iyo sumbu kana reverser server iri kutaurirana neTomcat AJP Batanidza sevhisi
Izvo zvinotaurwa zvakare kuti zvinyorwa zvave kuwanikwa mune dzakasiyana kugoverwa kweLinux se: Debian, Ubuntu, RHEL, Fedora, SUSE.
Sekushandira, iwe unogona kudzima iyo Tomcat AJP Connector sevhisi (sunga socket yekuteerera kune localhost kana kutaura kunze kwemutsara neConnector port = »8009 ″), kana zvisiri kudikanwa, kana kumisikidza yakasimbiswa kuwana.
Kana iwe uchida kuziva zvakawanda nezvazvo unogona kubvunza chinotevera chinongedzo.