![]() With more than 30 branches and subsidiaries at home and abroad, the company provides most competitive security products and solutions for governments, carriers, and financial, energy, Internet, education, and medical sectors, ensuring customers’ business continuity.īased on years of research in security assurance, NSFOCUS has set foot in network and terminal security, Internet infrastructure security, and compliance and security management. About NSFOCUSįounded in April 2000, NSFOCUS Information Technology Co., Ltd. Do not modify this advisory, add/delete information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS. Please include this statement paragraph when reproducing or transferring this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS does not provide any commitment or promise on this advisory. This advisory is only used to describe a potential risk. To use Tomcat AJP, you can configure the protocol attribute as the authentication credential, depending on the Tomcat version you use:įor Tomcat 7 and 9, you can configure a secret for the AJP connector (YOUR_TOMCAT_AJP_SECRET must be changed to a highly secure secret that cannot be guessed easily):įor Tomcat 8, you can set requiredSecret for the AJP connector (YOUR_TOMCAT_AJP_SECRET must be changed to a highly secure secret that cannot be guessed easily):.(3) Save the file and restart Tomcat to make the change take effect. (2) Comment out this line (or delete it). Apache Tomcat 7 is the working directory of Tomcat) in /conf/server.xml:.Tomcat users should take preventive measures to fix this vulnerability as soon as possible.įor details of this vulnerability, visit the following link: Considering the widespread deployment of Tomcat, the vulnerability in question affects a large number of users. Owing to its stable performance and availability for free use, it is quite a popular web application server. Tomcat is an important project of the Apache Software Foundation (ASF). Currently, the vendor has released new versions to fix this vulnerability. If the target server also provides the file upload function, the attacker can further implement remote code execution. An attacker could exploit this vulnerability to read arbitrary files from a web application directory on the server. This vulnerability is due to a flaw in the Tomcat Apache JServ Protocol (AJP). On February 20, China National Vulnerability Database (CNVD) released an Apache Tomcat file inclusion vulnerability (CNVD-2020-10487/CVE-2020-1938). ![]()
0 Comments
Leave a Reply. |