Nga korero mo te whakaraeraetanga (CVE-2020-9484) i Apache Tomcat, he whakatinanatanga tuwhera o Java Servlet, JavaServer Pages, Java Expression Language me Java WebSocket hangarau. Ko te raruraru ka taea e koe te whakatutuki i te mahi waehere i runga i te tūmau ma te tuku tono motuhake. Kua whakatutukihia te whakaraeraetanga i roto i nga putanga Apache Tomcat 10.0.0-M5, 9.0.35, 8.5.55 me 7.0.104.
Kia pai ai te whakamahi i te whakaraeraetanga, me kaha te kaitukino ki te whakahaere i nga ihirangi me te ingoa o te konae kei runga i te tūmau (hei tauira, mena he kaha te tono ki te tango tuhinga, whakaahua ranei). I tua atu, ko te whakaeke ka taea anake i runga i nga punaha e whakamahi ana i te PersistenceManager me te rokiroki FileStore, i roto i nga tautuhinga e whakatauhia ana te tawhā sessionAttributeValueClassNameFilter ki te "null" (ma te taunoa, ki te kore e whakamahia a SecurityManager) ka tohua he tātari ngoikore e taea ai te ahanoa whakawhanaungatanga. Me mohio ano te kaitukino i te ara ki te konae e whakahaerehia ana e ia, e pa ana ki te waahi o te FileStore.
Source: opennet.ru