[CVE-2020-1938]漏洞解决_升级Tomcat版本并关闭AJP

关东煮大刀
433 阅读1分钟

“我正在参加「掘金·启航计划」”

  1. 漏洞库中查询漏洞avd.aliyun.com/detail?id=A… ,查看漏洞原因:Apache Tomcat AJP协议的实现上有漏洞,默认开启AJP,所以会导致此漏洞 涉及版本

Apache Tomcat 6

Apache Tomcat 7 < 7.0.100

Apache Tomcat 8 < 8.5.51

Apache Tomcat 9 < 9.0.31

1.1 漏洞传参 javax.servlet.include.request_uri设置为根路径/javax.servlet.include.path_info设置为请求的文件、javax.servlet.include.servlet_path 2. 解决方案 2.1 升级版本 2.1.1 首先查看目前Tomcat的版本号,命令行进入bin目录输入version,得到版本号为8.0.43

image.png 2.2 关闭AJP 找到AJP所在行,找到文件conf\server.xml,其中AJP行

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>

附录

a. Tomcat重要组件,从server.xml

- Service
    - Connector
        - http协议
        访问tomcat    
        - ajp协议
        http协议访问apache,再由apache通过ajp协议访问tomcat
            apache是多进程的,一个请求一个进程,处理静态文件比较有优势,比tomcat快。如果是静态文件由apache处理,如果是servlet由tomcat处理、
            tomcat处理servlet比较有优势
    - Engine

b. 源码调用【8.5.x】主要关注AjpProcessor和DefaultServlet

  1. 调用Processor处理org/apache/coyote/AbstractProtocol.java:885 2. Ajp开始处理请求 org.apache.coyote.ajp.AjpProcessor#prepareRequest 3. AjpProcessor中 org/apache/coyote/ajp/AjpProcessor.java:834 如果正常请求,在Constants中 ```
// Integer codes for common (optional) request attribute names
public static final byte SC_A_CONTEXT       = 1;  // XXX Unused
public static final byte SC_A_SERVLET_PATH  = 2;  // XXX Unused
public static final byte SC_A_REMOTE_USER   = 3;
public static final byte SC_A_AUTH_TYPE     = 4;
public static final byte SC_A_QUERY_STRING  = 5;
public static final byte SC_A_JVM_ROUTE     = 6;
public static final byte SC_A_SSL_CERT      = 7;
public static final byte SC_A_SSL_CIPHER    = 8;
public static final byte SC_A_SSL_SESSION   = 9;
public static final byte SC_A_SSL_KEY_SIZE  = 11;
public static final byte SC_A_SECRET        = 12;
public static final byte SC_A_STORED_METHOD = 13;

但如果非正常请求则

// Used for attributes which are not in the list above
public static final byte SC_A_REQ_ATTRIBUTE = 10;

4.根据请求参数值javax.servlet.include.request_uri根目录,这里得出值/ org.apache.tomcat.util.buf.MessageBytes#toString 判断是否是ajp正常请求

/**
 * AJP private request attributes
 */
public static final String SC_A_REQ_LOCAL_ADDR  = "AJP_LOCAL_ADDR";
public static final String SC_A_REQ_REMOTE_PORT = "AJP_REMOTE_PORT";
public static final String SC_A_SSL_PROTOCOL    = "AJP_SSL_PROTOCOL";
  1. 三个自定义request都会进行设置 org/apache/coyote/ajp/AjpProcessor.java:873
  2. DefaultServlet中serveResource方法
org.apache.catalina.servlets.DefaultServlet#serveResource

查看INCLUDE_REQUEST_URI值,javax.servlet.RequestDispatcher#INCLUDE_REQUEST_URI中就是产生漏洞时设置的值\

String requestUri = (String) request.getAttribute(
        RequestDispatcher.INCLUDE_REQUEST_URI);

static final String INCLUDE_REQUEST_URI = "javax.servlet.include.request_uri";
avatar
文章
阅读
粉丝