Ofufuza a kampani yaku China Chaitin Tech apeza () mkati , kukhazikitsa kotseguka kwa Java Servlet, JavaServer Pages, Java Expression Language ndi matekinoloje a Java WebSocket. Chiwopsezo chapatsidwa dzina la code Ghostcat ndi mulingo wovuta kwambiri (9.8 CVSS). Vutoli limalola, pakusintha kosasintha, potumiza pempho pa netiweki doko 8009, kuti muwerenge zomwe zili m'mafayilo aliwonse kuchokera pamasamba ogwiritsira ntchito intaneti, kuphatikiza mafayilo okhala ndi zoikamo ndi ma code source source.
Kuwonongekaku kumapangitsanso kuti zitheke kulowetsa mafayilo ena pamakina ogwiritsira ntchito, omwe amalola kuti ma code asungidwe pa seva ngati pulogalamuyo ilola kuti mafayilo atsitsidwe pa seva (mwachitsanzo, wowukira amatha kuyika script ya JSP yobisika ngati chithunzi fomu yotsitsa zithunzi). Kuwukirako kumatha kuchitika ngati kuli kotheka kutumiza pempho ku doko la netiweki ndi wothandizira AJP. Malinga ndi deta yoyambirira, pa intaneti olandila alendo opitilira 1.2 miliyoni akuvomera zopempha kudzera mu protocol ya AJP.
Kusatetezeka kulipo mu protocol ya AJP, ndi cholakwika pakukhazikitsa. Kuphatikiza pa kuvomereza kulumikizidwa kudzera pa HTTP (port 8080), Apache Tomcat mwachisawawa amalola mwayi wogwiritsa ntchito intaneti kudzera pa protocol ya AJP (, port 8009), yomwe ndi analogue ya binary ya HTTP yokometsedwa kuti igwire bwino ntchito, yomwe nthawi zambiri imagwiritsidwa ntchito popanga gulu la maseva a Tomcat kapena kufulumizitsa kuyanjana ndi Tomcat pa proxy reverse kapena load balancer.
AJP imapereka ntchito yokhazikika yopezera mafayilo pa seva, yomwe ingagwiritsidwe ntchito, kuphatikizapo kupeza mafayilo omwe sangawululidwe. AJP ikuyenera kupezeka ndi ma seva odalirika okha, koma m'malo mwake kasinthidwe ka Tomcat kamayendetsa chowongolera pamaneti onse ndikuvomera zopempha popanda kutsimikizika. Kufikira kumatheka kumafayilo aliwonse a pulogalamu yapaintaneti, kuphatikiza zomwe zili mu WEB-INF, META-INF ndi maulalo ena aliwonse operekedwa kudzera pa foni ku ServletContext.getResourceAsStream(). AJP imakupatsaninso mwayi wogwiritsa ntchito fayilo iliyonse m'makalata opezeka pa intaneti ngati script ya JSP.
Vutoli lakhala likuwonekera kuyambira pomwe nthambi ya Tomcat 13.x idatulutsidwa zaka 6 zapitazo. Kuphatikiza pa vuto la Tomcat lokha ndi zinthu zomwe zimagwiritsa ntchito, monga Red Hat JBoss Web Server (JWS), JBoss Enterprise Application Platform (EAP), komanso mapulogalamu odzipangira okha omwe amagwiritsa ntchito. . Kusatetezeka kofananira (CVE-2020-1745) mu seva yapaintaneti , yogwiritsidwa ntchito mu seva ya Wildfly application. Mu JBoss ndi Wildfly, AJP imayatsidwa mwachisawawa mu mbiri ya standalone-full-ha.xml, standalone-ha.xml ndi ha/full-ha mu domain.xml. Mu Spring Boot, chithandizo cha AJP chimayimitsidwa mwachisawawa. Pakadali pano, magulu osiyanasiyana akonzekera zitsanzo zopitilira khumi ndi ziwiri zogwirira ntchito (
,
,
,
,
,
,
,
,
,
,
).
Chiwopsezo chokhazikika pakutulutsidwa kwa Tomcat , ΠΈ (kukonza nthambi ya 6.x ). Mutha kuyang'anira kupezeka kwa zosintha m'magawo ogawa pamasamba awa: , , , , , . Monga njira yogwirira ntchito, mutha kuletsa ntchito ya Tomcat AJP Connector (kumanga socket yomvera ku localhost kapena ndemanga pamzere ndi Connector port = "8009") ngati sikufunika, kapena mwayi wovomerezeka pogwiritsa ntchito zizindikiro za "chinsinsi" ndi "adiresi", ngati ntchitoyo ikugwiritsidwa ntchito polumikizana ndi ma seva ena ndi ma proxies kutengera mod_jk ndi mod_proxy_ajp (mod_cluster sichigwirizana ndi kutsimikizika).
Source: opennet.ru