Zambiri zokhudzana ndi chiopsezo (CVE-2020-9484) ku Apache Tomcat, kukhazikitsa kotseguka kwa Java Servlet, JavaServer Pages, Java Expression Language ndi matekinoloje a Java WebSocket. Vuto limakupatsani mwayi wokwaniritsa ma code pa seva potumiza pempho lopangidwa mwapadera. Chiwopsezochi chayankhidwa mu Apache Tomcat 10.0.0-M5, 9.0.35, 8.5.55 ndi 7.0.104 kutulutsa.
Kuti agwiritse ntchito bwino chiwopsezocho, wowukirayo ayenera kuwongolera zomwe zili ndi dzina la fayilo pa seva (mwachitsanzo, ngati pulogalamuyo imatha kutsitsa zikalata kapena zithunzi). Kuphatikiza apo, kuukiraku kumatheka kokha pamakina omwe amagwiritsa ntchito PersistenceManager ndi FileStore yosungirako, m'makonzedwe omwe gawoAttributeValueClassNameFilter parameter imayikidwa "null" (mwachisawawa, ngati SecurityManager sikugwiritsidwa ntchito) kapena fyuluta yofooka imasankhidwa yomwe imalola chinthu. deserialization. Wowukirayo ayeneranso kudziwa kapena kulingalira njira yopita ku fayilo yomwe amawongolera, yokhudzana ndi komwe kuli FileStore.
Source: opennet.ru