Cov ntaub ntawv hais txog qhov tsis zoo (CVE-2020-9484) hauv Apache Tomcat, qhib kev siv Java Servlet, JavaServer Pages, Java Expression Language thiab Java WebSocket technologies. Qhov teeb meem tso cai rau koj kom ua tiav cov lej ua tiav ntawm lub server los ntawm kev xa cov ntawv thov tsim tshwj xeeb. Qhov tsis txaus ntseeg tau hais hauv Apache Tomcat 10.0.0-M5, 9.0.35, 8.5.55 thiab 7.0.104 tso tawm.
Txhawm rau kom ua tiav cov txiaj ntsig tsis zoo, tus neeg tawm tsam yuav tsum muaj peev xwm tswj hwm cov ntsiab lus thiab lub npe ntawm cov ntaub ntawv ntawm lub server (piv txwv li, yog tias daim ntawv thov muaj peev xwm rub tawm cov ntaub ntawv lossis duab). Tsis tas li ntawd, qhov kev tawm tsam tsuas yog ua tau ntawm cov tshuab uas siv PersistenceManager nrog FileStore cia, nyob rau hauv cov chaw uas lub sessionAttributeValueClassNameFilter parameter yog teem rau "null" (los ntawm lub neej ntawd, yog SecurityManager tsis siv) los yog ib tug tsis muaj zog lim raug xaiv uas tso cai rau cov khoom. deserialization. Tus neeg tawm tsam yuav tsum paub lossis twv txoj hauv kev rau cov ntaub ntawv nws tswj, txheeb ze rau qhov chaw ntawm FileStore.
Tau qhov twg los: opennet.ru