Ruzivo rwekusagadzikana (CVE-2020-9484) muApache Tomcat, kuvhurwa kweJava Servlet, JavaServer Mapeji, Java Expression Mutauro uye Java WebSocket matekinoroji. Dambudziko rinokutendera iwe kuti uwane kodhi kuuraya pane server nekutumira yakanyatso gadzirwa chikumbiro. Kusagadzikana kwagadziriswa muApache Tomcat 10.0.0-M5, 9.0.35, 8.5.55 uye 7.0.104 zvaburitswa.
Kuti ubudirire kusazvibata, munhu anorwisa anofanira kukwanisa kudzora zvirimo uye zita refaira pane sevha (semuenzaniso, kana application ichikwanisa kurodha zvinyorwa kana mifananidzo). Pamusoro pezvo, kurwiswa kunongogoneka pane masisitimu anoshandisa PersistenceManager ine FileStore kuchengetedza, mune zvigadziriso izvo iyo sessionAttributeValueClassNameFilter parameter inoiswa ku "null" (nekuda, kana SecurityManager isingashandiswe) kana sefa isina simba inosarudzwa inobvumira chinhu. deserialization. Anorwisa anofanirawo kuziva kana kufungidzira nzira yefaira yaanotonga, maererano nenzvimbo yeFayileStore.
Source: opennet.ru