Tlhahisoleseding e mabapi le ho ba kotsing (CVE-2020-9484) ho Apache Tomcat, ts'ebetsong e bulehileng ea Java Servlet, JavaServer Pages, Java Expression Language le Java WebSocket technologies. Bothata bo u lumella ho fihlela ts'ebetso ea khoutu ho seva ka ho romella kopo e entsoeng ka ho khetheha. Kotsi e se e rarollotsoe ho litokollo tsa Apache Tomcat 10.0.0-M5, 9.0.35, 8.5.55 le 7.0.104.
Ho atleha ho sebelisa ts'oaetso, mohlaseli o tlameha ho khona ho laola litaba le lebitso la faele ho seva (mohlala, haeba kopo e na le bokhoni ba ho khoasolla litokomane kapa litšoantšo). Ho phaella moo, tlhaselo e ka khoneha ho litsamaiso tse sebelisang PersistenceManager ka polokelo ea FileStore, libakeng tseo ho tsona parameter ea sessionAttributeValueClassNameFilter e behoang "null" (ka ho feletseng, haeba SecurityManager e sa sebelisoe) kapa ho khethoa sefahla se fokolang se lumellang ntho e itseng. deerialization. Motho ea hlaselang o tlameha ho tseba kapa ho hakanya tsela ea faele eo a e laolang, e amanang le sebaka sa FileStore.
Source: opennet.ru