Ulwazi malunga nobungozi (CVE-2020-9484) kwi-Apache Tomcat, ukuphunyezwa okuvulekileyo kwe-Java Servlet, i-JavaServer Pages, i-Java Expression Language kunye ne-Java WebSocket technologies. Ingxaki ikuvumela ukuba ufezekise ukwenziwa kwekhowudi kumncedisi ngokuthumela isicelo esenziwe ngokukodwa. Ukuba sesichengeni kuye kwaqwalaselwa kwi-Apache Tomcat 10.0.0-M5, 9.0.35, 8.5.55 kunye no-7.0.104 ukhupho.
Ukuxhaphaza ngempumelelo ubuthathaka, umhlaseli kufuneka akwazi ukulawula umxholo kunye negama lefayile kumncedisi (umzekelo, ukuba isicelo sinakho ukukhuphela amaxwebhu okanye imifanekiso). Ukongeza, uhlaselo lunokwenzeka kuphela kwiinkqubo ezisebenzisa iPersistenceManager ngeFayileStore yokugcina, kwizicwangciso apho ipharamitha yeSeshiniAttributeValueClassNameFilter imiselwe "null" (ngokungagqibekanga, ukuba iSecurityManager ayisetyenziswa) okanye isihluzo esibuthathaka sikhethiwe esivumela into. deserialization. Umhlaseli kufuneka azi okanye aqikelele indlela eya kwifayile ayilawulayo, ngokumalunga nendawo yeFayileStore.
umthombo: opennet.ru