Macluumaadka ku saabsan nuglaanshaha (CVE-2020-9484) gudaha Apache Tomcat, oo ah il furan hirgelinta Java Servlet, JavaServer Pages, Java Expression Language iyo Java WebSocket technology. Dhibaatadu waxay kuu ogolaanaysaa inaad ku guulaysato fulinta code ee serverka adoo soo diraya codsi si gaar ah loo qorsheeyay. Nuglaanta waxaa looga hadlay Apache Tomcat 10.0.0-M5, 9.0.35, 8.5.55 iyo 7.0.104.
Si aad si guul leh uga faa'iidaysato nuglaanta, weeraryahanku waa inuu awood u yeeshaa inuu xakameeyo waxa ku jira iyo magaca faylka serverka (tusaale, haddii codsigu awood u leeyahay inuu soo dejiyo dukumeenti ama sawirro). Intaa waxaa dheer, weerarku wuxuu suurtogal u yahay oo keliya nidaamyada adeegsada PersistenceManager oo leh kaydinta FileStore, ee goobaha kaas oo fadhiga AttributeValueClassNameFilter loo dejiyay "null" (sida caadiga ah, haddii SecurityManager aan la isticmaalin) ama filter daciif ah ayaa la doortay kaas oo u oggolaanaya shayga. ka takhalusid. Weeraryahanku waa inuu sidoo kale ogaadaa ama qiyaasaa dariiqa loo maro faylka uu maamulo, marka loo eego goobta FileStore.
Source: opennet.ru