Vatsvagiri kubva kukambani yeChinese Chaitin Tech vakawana () mukati , kushandiswa kwakavhurika kweJava Servlet, JavaServer Mapeji, Java Expression Mutauro uye Java WebSocket tekinoroji. Kusagadzikana kwakapihwa kodhi zita rekuti Ghostcat uye yakakosha nhanho yekuomarara (9.8 CVSS). Dambudziko rinobvumira, mukugadzirisa kwekugadzirisa, nekutumira chikumbiro panetiweki port 8009, kuverenga zviri mukati ripi zvaro mafaira kubva pawebhu dhairekitori rekushandisa, kusanganisira mafaera ane zvigadziriso uye application source codes.
Kusagadzikana uku kunoitawo kuti zvikwanise kupinza mamwe mafaera mukodhi yekushandisa, iyo inobvumira kodhi kuuraya pane sevha kana application ichibvumira mafaera kuti aiswe kune server (semuenzaniso, anorwisa anogona kurodha JSP script yakavharwa semufananidzo kuburikidza. fomu rekuisa mufananidzo). Kurwiswa kunogona kuitwa kana zvichikwanisika kutumira chikumbiro kune network network ine AJP mugadziri. Zvinoenderana nekutanga data, online vanopfuura mamirioni 1.2 vanogamuchira zvikumbiro kuburikidza neiyo AJP protocol.
Kusagadzikana kuripo muAJP protocol, uye kukanganisa mukuita. Pamusoro pekugamuchira kubatana kuburikidza neHTTP (port 8080), Apache Tomcat nekukasira inobvumira kupinda kune web application kuburikidza neAJP protocol (, port 8009), inova analogue yebhinari yeHTTP yakagadziridzwa kuita kwepamusoro, inowanzo shandiswa pakugadzira boka remaseva eTomcat kana kuti kukurumidze kusangana neTomcat pane reverse proxy kana load balancer.
AJP inopa basa rakajairwa rekuwana mafaera pane sevha, iyo inogona kushandiswa, kusanganisira kuwana mafaira asiri pasi pekuburitswa. AJP inofanirwa kuwanikwa chete kumaseva akavimbika, asi kutaura zvazviri Tomcat's default configuration yakamhanyisa mubati pane ese network network uye yakagamuchirwa zvikumbiro pasina humbowo. Kuwanika kunogoneka kune chero webhu faira rekushandisa, kusanganisira zviri mukati meWEB-INF, META-INF uye chero mamwe madhairekitori akapihwa kuburikidza nekufona kuServletContext.getResourceAsStream(). AJP zvakare inobvumidza iwe kushandisa chero faira mumadhairekitori anowanikwa kune webhu application seJSP script.
Dambudziko ranga richionekwa kubva kubazi reTomcat 13.x rakaburitswa makore gumi nematatu apfuura. Pamusoro peiyo Tomcat dambudziko pacharo uye zvigadzirwa zvinoishandisa, zvakaita seRed Hat JBoss Web Server (JWS), JBoss Enterprise Application Platform (EAP), pamwe neanozvimiririra ewebhu maapplication anoshandisa. . Kusagadzikana kwakafanana (CVE-2020-1745) muwebhu server , inoshandiswa muWildfly application server. MuJBoss neWildfly, AJP inogoneswa nekusarudzika chete mune standalone-full-ha.xml, standalone-ha.xml uye ha/full-ha profiles mudomain.xml. MuSchool Boot, rutsigiro rweAJP runodzimwa nekusarudzika. Parizvino, mapoka akasiyana akagadzirira anopfuura gumi nemaviri ekushanda mienzaniso yezviitiko (
,
,
,
,
,
,
,
,
,
,
).
Kusagadzikana kwakagadziriswa mukuburitswa kweTomcat , ΠΈ (kuchengetedza kwe6.x bazi ) Unogona kutarisa kuwanikwa kwezvigadziriso mumakiti ekugovera pane aya mapeji: , , , , , . Sekushanda, unogona kudzima iyo Tomcat AJP Connector sevhisi (sunga socket yekuteerera kune localhost kana kutaura mutsara neConnector port = "8009") kana isiri kudikanwa, kana kuwanikwa kwechokwadi uchishandisa "chakavanzika" uye "kero" hunhu, kana sevhisi ichishandiswa kudyidzana nemamwe maseva uye proxies zvichibva pane mod_jk uye mod_proxy_ajp (mod_cluster haitsigire authentication).
Source: opennet.ru