Abaphandi abavela kwinkampani yaseTshayina iChaitin Tech baye bafumanisa () ngaphakathi , ukuphunyezwa okuvulekileyo kwe-Java Servlet, i-JavaServer Pages, i-Java Expression Language kunye ne-Java WebSocket technologies. Ukuba sesichengeni kunikwe igama lekhowudi elithi Ghostcat kunye nenqanaba elibalulekileyo lobunzima (9.8 CVSS). Ingxaki ivumela, kwi-default configuration, ngokuthumela isicelo kwi-network port 8009, ukufunda imixholo yazo naziphi na iifayile kwi-directory yesicelo sewebhu, kuquka iifayile ezinezicwangciso kunye neekhowudi zomthombo wesicelo.
Ukuba sesichengeni kwenza kube lula ukungenisa ezinye iifayile kwikhowudi yesicelo, evumela ukuphunyezwa kwekhowudi kumncedisi ukuba isicelo sivumela iifayile ukuba zifakwe kumncedisi (umzekelo, umhlaseli unokulayisha iscript ye-JSP efihliweyo njengomfanekiso ifom yokulayisha umfanekiso). Uhlaselo lunokwenziwa xa kunokwenzeka ukuthumela isicelo kwi-port yenethiwekhi kunye nomphathi we-AJP. Ngokutsho kwedatha yokuqala, kwi-intanethi ngaphezu kwe-1.2 yezigidi zeenginginya ezamkela izicelo nge-AJP protocol.
Ubuthathaka bukhona kwiprotocol ye-AJP, kunye impazamo ekuphunyezweni. Ukongeza ekwamkeleni imidibaniso ngeHTTP (port 8080), iApache Tomcat ngokungagqibekanga ivumela ukufikelela kwisicelo sewebhu nge AJP protocol (, i-port 8009), eyi-analogue yokubini ye-HTTP elungiselelwe ukusebenza okuphezulu, ngokuqhelekileyo isetyenziswa xa kusenziwa iqela leeseva ze-Tomcat okanye ukukhawulezisa ukusebenzisana ne-Tomcat kwi-proxy engasemva okanye i-balancer yomthwalo.
I-AJP inikezela ngomsebenzi osemgangathweni wokufikelela kwiifayile kumncedisi, ezinokuthi zisetyenziswe, kubandakanywa nokufumana iifayile ezingekho phantsi kokuchazwa. I-AJP kufanele ukuba ifikeleleke kuphela kwiiseva ezithembekileyo, kodwa eneneni uqwalaselo olungagqibekanga lweTomcat luqhube isibambi kuzo zonke iindawo zojongano lwenethiwekhi kwaye zamkelwe izicelo ngaphandle koqinisekiso. Ukufikelela kuyenzeka kuzo naziphi na iifayile zesicelo sewebhu, kubandakanywa imixholo ye-WEB-INF, i-META-INF kunye nazo naziphi na ezinye izikhokelo ezibonelelwe ngokufowunela ku-ServletContext.getResourceAsStream(). I-AJP ikwavumela ukuba usebenzise nayiphi na ifayile kubalawuli abafikelelekayo kwisicelo sewebhu njengombhalo weJSP.
Ingxaki ibivela ukusukela oko isebe leTomcat 13.x lakhululwa kwiminyaka eli-6 eyadlulayo. Ukongeza kwingxaki yeTomcat ngokwayo kunye neemveliso eziyisebenzisayo, njengeRed Hat JBoss Web Server (JWS), JBoss Enterprise Application Platform (EAP), kunye nezicelo zewebhu ezizimeleyo ezisebenzisayo. . Ubuthathaka obufanayo (CVE-2020-1745) kwiseva yewebhu , isetyenziswe kwi-Wildfly application server. Kwi-JBoss kunye ne-Wildfly, i-AJP yenziwe ngokungagqibekanga kuphela kwi-standalone-full-ha.xml, i-standalone-ha.xml kunye ne-ha/full-ha iiprofayili kwi-domain.xml. Kwi-Spring Boot, inkxaso ye-AJP ivaliwe ngokungagqibekanga. Okwangoku, amaqela ahlukeneyo alungiselele ngaphezulu kweshumi elinesibini imizekelo yokusebenza yokuxhaphaza (
,
,
,
,
,
,
,
,
,
,
).
Ubuthathaka bulungisiwe kukhupho lweTomcat , ΠΈ (ugcino lwesebe le-6.x ). Ungalandelela ukufumaneka kohlaziyo kwiikhithi zokusasaza kula maphepha: , , , , , . Njengendlela yokusebenza, ungakhubaza inkonzo yoQhagamshelwano lweTomcat AJP (bophelela isiseko sokumamela kwinginginya yasekhaya okanye uphawule umgca ngeSidibaniso sezibuko = "8009") ukuba ayifunwa, okanye ukufikelela okuqinisekisiweyo usebenzisa "imfihlo" kunye ne "idilesi" iimpawu, ukuba inkonzo isetyenziselwa ukusebenzisana nabanye abancedisi kunye neeproxies ezisekelwe kwi-mod_jk kunye ne-mod_proxy_ajp (i-mod_cluster ayixhasi ukuqinisekiswa).
umthombo: opennet.ru