Abaphandi abavela eChaitin Tech, eChina bakhululwa ulwazi malunga nokufumanisa okutsha, njengoko bechongile ukuba sesichengeni kwisitya esithandwayo se-servlet (Java Servlet, JavaServer Pages, Java Expression Language kunye neJava WebSocket) I-Apache tomcat (esele idwelisiwe njenge-CVE-2020-1938).
Obu bungozi Banikwa igama lekhowudi "Ghostcat" kunye nenqanaba elibukhali lobukhali (9.8 CVSS). Ingxaki ivumela kuqwalaselo olungagqibekanga ukuthumela isicelo ngezibuko lenethiwekhi 8009 ukufunda umxholo wayo nayiphi na ifayile kulawulo lwesicelo sewebhu, kubandakanya iikhowudi zomthombo wesicelo kunye neefayile zoqwalaselo.
Ukuba semngciphekweni kukwavumela ukuba ezinye iifayile zingeniswe kwikhowudi yesicelo, evumela cwangcisa ukwenziwa kwekhowudi kwiseva ukuba usetyenziso luvumela iifayile ukuba zilayishwe kwiseva.
Umzekelo, ingaba isicelo sewebhusayithi sivumela abasebenzisi ukuba balayishe iifayile, umhlaseli angabiza kuqala ifayile equlathe ikhowudi yeskripthi seJSP ezinobungozi kwiseva (ifayile elayishiwe ngokwayo inokuba loluphi na uhlobo lwefayile, njengemifanekiso, iifayile zombhalo ocacileyo, njl. kwaye emva koko ubandakanye nefayile elayishiwe ngokuxhaphaza ubungozi ukusuka kwi-Ghostcat, enokuthi ekugqibeleni ikhokelele ekusebenziseni ikhowudi ekude.
Kukwakhankanyiwe ukuba uhlaselo lunokwenziwa ukuba kunokwenzeka ukuthumela isicelo kwizibuko lenethiwekhi kunye nomqhubi we-AJP. Ngokwedatha yokuqala, inethiwekhi ifunyenwe ngaphezulu kwesigidi esi-1.2 semikhosi esamkela izicelo kusetyenziswa umthetho olandelwayo we-AJP.
Ubungozi bukhoyo kwiprotocol ye-AJP kwaye ayibangelwa yimpazamo yokuphunyezwa.
Ukongeza ekwamkeleni uqhagamshelo lwe-HTTP (port 8080) kwi-Apache Tomcat, ngokungagqibekanga kunokwenzeka ukufikelela kwisicelo sewebhu usebenzisa umthetho olandelwayo we-AJP (I-Apache Jserv Protocol, port 8009), eyi-analog ye-HTTP elungiselelwe ukusebenza okuphezulu, esetyenziswa ngokubanzi xa kusenziwa iqela kwiqela le-Tomcat okanye ukukhawulezisa ukusebenzisana no-Tomcat kwi-proxy okanye umlayishi wokulinganisa.
I-AJP ibonelela ngomsebenzi osemgangathweni wokufikelela iifayile kwiserver, ezinokusetyenziswa, kubandakanya nokufunyanwa kweefayile ezingachazwanga.
Kuyaqondakala ukuba ukufikelela kwi I-AJP ivulekele kuphela abakhonzi abathembekileyokodwa enyanisweni, kulungelelwaniso olungagqibekanga lweTomcat, umqhubi wasungulwa kulo lonke unxibelelwano lwenethiwekhi kwaye izicelo zamkelwa ngaphandle kokuqinisekiswa.
Ukufikelela kunokwenzeka kuyo nayiphi na ifayile kwisicelo sewebhu, kubandakanya imixholo yeWEB-INF, META-INF, kunye nasiphi na esinye isikhombisi esibuyiselwe kwifowuni yeServletContext.getResourceAsStream (). I-AJP ikwavumela ukuba usebenzise nayiphi na ifayile kwimikhombandlela ekhoyo kwisicelo sewebhu njengombhalo weJSP.
Ingxaki ibonakele okoko lakhutshwa isebe iTomcat 6.x kwiminyaka eli-13 eyadlulayo. Ukongeza kuTomcat ngokwakhe, ingxaki ikwachaphazela iimveliso eziyisebenzisayo, ezinje ngeRed Hat JBoss Web Server (JWS), JBoss Enterprise Application Platform (EAP), kunye nokusetyenziswa kwewebhu ezimeleyo ezisebenzisa iSky Boot.
Kwakhona umngcipheko ofanayo wafunyanwa (I-CVE-2020-1745) Kwiseva yewebhu engaphantsi isetyenziswe kwiseva yesicelo seWildfly. Okwangoku, amaqela ahlukeneyo alungiselele ngaphezulu kweshumi elinambini lemi sebenzi yokuxhaphaza.
U-Apache Tomcat ukhuphe ngokusesikweni iinguqulelo 9.0.31, 8.5.51 kunye 7.0.100 ukulungisa oku kubuthathaka. Ukulungisa le meko ngokuchanekileyo, Kuya kufuneka kuqala unqume ukuba ngaba isinxibelelanisi seTomcat AJP sisetyenziswa kwimeko yeseva yakho:
- Ukuba i-cluster okanye umva wokubuyela umva akusetyenziswanga, kunokugqitywa ukuba i-AJP ayisetyenziswanga.
- Ukuba akunjalo, kuya kufuneka ufumanise ukuba ngaba iklasta okanye umva umva unxibelelana ne-Tomcat AJP Connect service
Kukwakhankanyiwe ukuba Uhlaziyo ngoku luyafumaneka kusasazo olwahlukileyo lweLinux njengo: Debian, Ubuntu, RHEL, Fedora, SUSE.
Njengokusebenza, ungayikhubaza inkonzo yoMnxibelelanisi we-Tomcat AJP (bopha isokethi esimameleyo kwindawo yasekhaya okanye uphawule umgca kunye neConnor port = »8009 ″), ukuba akukho mfuneko, okanye ulungiselele ukufikelela okungqinisisiweyo.
Ukuba ufuna ukwazi ngakumbi ngayo ungadibana eli khonkco lilandelayo.