Masu bincike daga kamfanin Chaitin Tech na kasar Sin sun gano () a cikin , buɗe tushen aiwatar da Java Servlet, Shafukan JavaServer, Harshen Maganar Java, da fasahar WebSocket Java. An ba da raunin lambar sunan Ghostcat da matsayi mai mahimmanci (9.8 CVSS). Matsalar tana ba da damar, a cikin tsoho na asali, ta hanyar aika buƙatu zuwa tashar tashar sadarwa ta 8009, don karanta abubuwan da ke cikin kowane fayiloli daga kundin adireshin aikace-aikacen yanar gizo, gami da fayiloli tare da saituna da lambobin tushen aikace-aikacen.
Rashin lahani kuma yana ba da damar shigo da wasu fayiloli zuwa lambar aikace-aikacen, wanda ke ba da damar aiwatar da aiwatar da lambobin akan uwar garken idan aikace-aikacen ya ba da damar loda fayiloli zuwa uwar garken (misali, maharin na iya loda rubutun JSP a ƙarƙashin sunan sabar. Hoto ta hanyar hanyar shigar da hoto). Ana iya kai hari ta hanyar aika buƙatu zuwa tashar sadarwa tare da mai kula da AJP. Dangane da bayanan farko, kan layi fiye da runduna miliyan 1.2 suna karɓar buƙatun ta hanyar yarjejeniyar AJP.
Rashin lahani yana wanzu a cikin ka'idar AJP, kuma kuskuren aiwatarwa. Baya ga karɓar haɗin kai ta hanyar HTTP (tashar jiragen ruwa 8080), Apache Tomcat ta tsohuwa yana ba da damar yin amfani da aikace-aikacen yanar gizo ta hanyar ka'idar AJP., tashar jiragen ruwa 8009), wanda shine ingantaccen aiki-daidaitacce na HTTP, wanda aka saba amfani dashi lokacin ƙirƙirar gungun sabar Tomcat ko don hanzarta sadarwa tare da Tomcat akan wakili na baya ko ma'aunin nauyi.
AJP yana ba da daidaitaccen aiki don samun damar fayiloli akan uwar garken, wanda za'a iya amfani dashi, gami da samun fayilolin da ba'a iya bayyanawa. Ya kamata AJP ya kasance mai isa ga amintattun sabar kawai, amma a zahiri saitin tsoho na Tomcat shine ya tafiyar da mai gudanarwa akan duk mu'amalar hanyar sadarwa da karɓar buƙatun ba tare da tantancewa ba. Samun dama ga kowane fayilolin aikace-aikacen yanar gizo, gami da abubuwan da ke cikin WEB-INF, META-INF, da duk wasu kundayen adireshi da aka bayar ta hanyar ServletContext.getResourceAsStream(). AJP kuma yana ba ku damar amfani da kowane fayil a cikin kundayen adireshi na aikace-aikacen yanar gizo azaman rubutun JSP.
Matsalar tana bayyana tun daga reshen Tomcat 13.x da aka saki shekaru 6 da suka gabata. Sai dai matsalar Tomcat kai tsaye da samfuran da suke amfani da ita, irin su Red Hat JBoss Web Server (JWS), JBoss Enterprise Application Platform (EAP), da kuma aikace-aikacen yanar gizo masu zaman kansu waɗanda ke amfani da su. . Irin wannan rauni (CVE-2020-1745) a cikin sabar gidan yanar gizo ana amfani da shi a cikin uwar garken aikace-aikacen Wildfly. A cikin JBoss da Wildfly, ƙa'idar AJP tana aiki ne kawai ta tsohuwa a cikin standalone-full-ha.xml, standalone-ha.xml da ha/ful-ha bayanan martaba a domain.xml. A cikin Boot na bazara, tallafin AJP yana kashe ta tsohuwa. Fiye da misalan aiki goma sha biyu na cin nasara an shirya su ta ƙungiyoyi daban-daban (
,
,
,
,
,
,
,
,
,
,
).
Kafaffen lahani a cikin fitowar Tomcat , и (reshen kulawa 6.x ). Kuna iya bin bayyanar sabuntawa a cikin rabawa akan waɗannan shafuka: , , , , , . A matsayin wurin aiki, zaku iya kashe sabis ɗin Haɗin Tomcat AJP (daure soket ɗin sauraron zuwa localhost ko yin sharhi akan layi tare da tashar tashar Connector = "8009") idan ba a buƙata ba, ko ingantacciyar hanyar shiga ta amfani da sifofin "asiri" da "adireshi", idan ana amfani da sabis ɗin don yin hulɗa tare da wasu sabar da proxies bisa mod_jk da mod_proxy_ajp (mod_cluster baya goyan bayan tantancewa).
source: budenet.ru