Bayani game da rauni (CVE-2020-9484) a cikin Apache Tomcat, buɗe aikace-aikacen Java Servlet, Shafukan JavaServer, Harshen Maganar Java da fasahar WebSocket Java. Matsalar tana ba ku damar cimma aiwatar da lamba akan sabar ta hanyar aika buƙatun ƙira na musamman. An magance rashin lafiyar a cikin Apache Tomcat 10.0.0-M5, 9.0.35, 8.5.55 da 7.0.104.
Don samun nasarar cin gajiyar raunin, dole ne maharin ya iya sarrafa abun ciki da sunan fayil ɗin akan sabar (misali, idan aikace-aikacen yana da ikon sauke takardu ko hotuna). Bugu da ƙari, harin yana yiwuwa ne kawai akan tsarin da ke amfani da PersistenceManager tare da ajiyar FileStore, a cikin saitunan da aka saita ma'aunin zamanAttributeValueClassNameFilter zuwa "rauni" (ta tsohuwa, idan ba a yi amfani da TsaroManager ba) ko zaɓi mai rauni mai rauni wanda zai ba da damar abu. deserialization. Har ila yau, maharin dole ne ya sani ko ya hango hanyar zuwa fayil ɗin da yake sarrafawa, dangane da wurin da FileStore yake.
source: budenet.ru