Ulwazi mayelana nokuba sengozini (CVE-2020-9484) ku-Apache Tomcat, ukuqaliswa okuvulekile kwe-Java Servlet, i-JavaServer Pages, i-Java Expression Language kanye nobuchwepheshe be-Java WebSocket. Inkinga ikuvumela ukuthi ufeze ukusetshenziswa kwekhodi kuseva ngokuthumela isicelo esiklanywe ngokukhethekile. Ukuba sengozini kukhulunywe ngakho ekukhishweni kwe-Apache Tomcat 10.0.0-M5, 9.0.35, 8.5.55 kanye no-7.0.104.
Ukuze asebenzise ngempumelelo ubungozi, umhlaseli kufanele akwazi ukulawula okuqukethwe negama lefayela kuseva (ngokwesibonelo, uma uhlelo lokusebenza lunamandla okulanda amadokhumenti noma izithombe). Ngaphezu kwalokho, ukuhlasela kungenzeka kuphela kumasistimu asebenzisa i-PersistenceManager enesitoreji se-FileStore, kuzilungiselelo lapho ipharamitha ye-sessionAttributeValueClassNameFilter isethwe ukuze ithi βnullβ (ngokuzenzakalelayo, uma i-SecurityManager ingasetshenziswa) noma kukhethwa isihlungi esibuthakathaka esivumela into. i-deserialization. Umhlaseli kufanele futhi azi noma aqagele indlela eya efayeleni alilawulayo, ngokuhlobene nendawo ye-FileStore.
Source: opennet.ru