Abacwaningi benkampani yaseChina i-Chaitin Tech bathole () ku , ukuqaliswa okuvulekile kwe-Java Servlet, i-JavaServer Pages, i-Java Expression Language kanye nobuchwepheshe be-Java WebSocket. Ukuba sengozini kunikezwe igama lekhodi elithi Ghostcat kanye nezinga lokuqina elibalulekile (9.8 CVSS). Inkinga ivumela, ekucushweni okuzenzakalelayo, ngokuthumela isicelo ku-port yenethiwekhi 8009, ukufunda okuqukethwe kwanoma yimaphi amafayela kusuka kunkomba yesicelo sewebhu, okuhlanganisa amafayela anezilungiselelo namakhodi omthombo wohlelo lokusebenza.
Ukuba sengozini futhi kwenza kube nokwenzeka ukungenisa amanye amafayela kukhodi yohlelo lokusebenza, evumela ukukhishwa kwekhodi kuseva uma uhlelo lokusebenza luvumela amafayela ukuthi alayishwe kuseva (isibonelo, umhlaseli angalayisha umbhalo we-JSP ofihliwe njengesithombe ngokusebenzisa ifomu lokulayisha isithombe). Ukuhlasela kungenziwa uma kungenzeka ukuthumela isicelo echwebeni lenethiwekhi ngesibambi se-AJP. Ngokusho kwedatha yokuqala, ku-inthanethi abasingathi abangaphezu kwezigidi ezingu-1.2 abamukela izicelo ngephrothokholi ye-AJP.
Ubungozi bukhona kuphrothokholi ye-AJP, futhi iphutha ekusetshenzisweni. Ngaphezu kokwamukela ukuxhumana nge-HTTP (port 8080), i-Apache Tomcat ngokuzenzakalelayo ivumela ukufinyelela kuhlelo lokusebenza lwewebhu ngephrothokholi ye-AJP (, port 8009), okuyi-analogue kanambambili ye-HTTP elungiselelwe ukusebenza okuphezulu, ngokuvamile esetshenziswa lapho kwakhiwa iqoqo lamaseva e-Tomcat noma ukusheshisa ukusebenzisana ne-Tomcat kummeleli ongemuva noma isilinganisi sokulayisha.
I-AJP inikeza umsebenzi ojwayelekile wokufinyelela amafayela kuseva, angasetshenziswa, okuhlanganisa nokuthola amafayela angekho ngaphansi kokudalulwa. I-AJP kufanele ifinyeleleke kuphela kumaseva athembekile, kodwa empeleni ukucushwa okuzenzakalelayo kwe-Tomcat kusebenze isibambi kuzo zonke izixhumi ezibonakalayo zenethiwekhi futhi zamukelwe izicelo ngaphandle kokuqinisekisa. Ukufinyelela kuyenzeka kunoma yimaphi amafayela ohlelo lwewebhu, okuhlanganisa nokuqukethwe kwe-WEB-INF, META-INF nanoma yiziphi ezinye iziqondisi ezinikezwe ngocingo oluya ku-ServletContext.getResourceAsStream(). I-AJP iphinde ikuvumela ukuthi usebenzise noma yiliphi ifayela ohlwini lwemibhalo olufinyeleleka kuhlelo lokusebenza lwewebhu njengombhalo we-JSP.
Inkinga ibilokhu ivela kusukela igatsha le-Tomcat 13.x lakhululwa eminyakeni eyi-6 edlule. Ngaphezu kwenkinga ye-Tomcat ngokwayo kanye nemikhiqizo eyisebenzisayo, njengeRed Hat JBoss Web Server (JWS), i-JBoss Enterprise Application Platform (EAP), kanye nezinhlelo zokusebenza zewebhu eziqukethwe ngokwazo ezisebenzisayo. . Ukuba sengozini okufanayo (CVE-2020-1745) kuseva yewebhu , esetshenziswa kuseva yohlelo lokusebenza lwe-Wildfly. Ku-JBoss ne-Wildfly, i-AJP inikwa amandla ngokuzenzakalela kuphela kumaphrofayela azimele-full-ha.xml, azimele-ha.xml kanye ne-ha/full-ha ku-domain.xml. Ku-Spring Boot, usekelo lwe-AJP lukhutshazwa ngokuzenzakalela. Njengamanje, amaqembu ahlukene alungiselele izibonelo zokusebenza ezingaphezu kweshumi nambili zokuxhaphaza (
,
,
,
,
,
,
,
,
,
,
).
Ukuba sengozini kulungisiwe ekukhishweni kwe-Tomcat , ΠΈ (ukulungiswa kwegatsha le-6.x ). Ungakwazi ukulandelela ukutholakala kwezibuyekezo kumathuluzi okusabalalisa kulawa makhasi: , , , , , . Njengendlela yokusebenza, ungakhubaza isevisi ye-Tomcat AJP Connector (bopha isokhethi yokulalela kumsingathi wasendaweni noma ubeke amazwana umugqa nge-Connector port = "8009") uma ingadingeki, noma ukufinyelela okugunyaziwe kusetshenziswa izibaluli "eziyimfihlo" kanye "nekheli", uma isevisi isetshenziselwa ukuxhumana namanye amaseva nama-proxies ngokusekelwe ku-mod_jk ne-mod_proxy_ajp (i-mod_cluster ayisekeli ukufakazela ubuqiniso).
Source: opennet.ru