English
¢¸¢· µÚ·Î
Ãë¾àÁ¡ID 22868
À§Çèµµ 40
Æ÷Æ® 80, ...
ÇÁ·ÎÅäÄÝ TCP
ºÐ·ù WWW
»ó¼¼¼³¸í ¿ø°Ý È£½ºÆ®¿¡ 9.0.10 ÀÌÀü 9.0.x ¹öÀü Apache Tomcat ÀÌ ¼³Ä¡µÇ¾î ÀÖÀ¸¸ç, ´ÙÀ½ÀÇ ´ÙÁß Ãë¾àÁ¡ÀÌ Á¸ÀçÇÑ´Ù.

- ¾ÈÀüÇÏÁö ¾ÊÀº CORS ÇÊÅÍÀÇ ±âº»°ª ¼³Á¤ÀÌ È°¼ºÈ­µÇ¾î ÀÖ½À´Ï´Ù. CORS ÇÊÅÍ´Â ±âº»ÀûÀ¸·Î ºñ È°¼ºÈ­ µÇ¾î¾ß Çϸç, ȯ°æ¿¡ ¸Â°Ô CORS ÇÊÅ͸¦ ÀûÀýÇÏ°Ô ±¸¼ºÇØ¾ß ÇÕ´Ï´Ù. (CVE-2018-8014)

- Tomcat¿¡¼­ ÀÎÁõ¼­ ½Äº° ¿À·ù·Î ÀÎÇØ ÀÎÁõÀÌ ÇØÁöµÈ Ŭ¶óÀ̾ðÆ®ÀÇ ÀÎÁõ¼­·Î ÀÎÁõÀ» ¹Þ¾Æ ÀÎÁõ¿ìȸ¸¦ ÇÒ ¼ö ÀÖ´Â Ãë¾àÁ¡ (CVE-2018-8019, CVE-2018-8020)

- WebSocket Ŭ¶óÀ̾ðÆ®¿¡¼­ TLS¸¦ »ç¿ëÇÒ ¶§ È£½ºÆ® À̸§ È®ÀÎÀÌ ´©¶ôµÇ¾ú½À´Ï´Ù. (CVE-2018-8034)

* Âü°í »çÀÌÆ®:
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.10 https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties

* ¿µÇâÀ» ¹Þ´Â Ç÷§Æû:
Apache Tomcat Server 9.0.10 ÀÌÀüÀÇ 9.0.x ¹öÀüµé
¸ðµç ¿î¿µÃ¼Á¦ ¸ðµç ¹öÀü
ÇØ°áÃ¥ Apache Software Foundation À¥ »çÀÌÆ®ÀÎ http://tomcat.apache.org/ ¿¡¼­ ±¸ÇÒ ¼ö ÀÖ´Â Apache Tomcat ServerÀÇ °¡Àå ÃֽŠ¹öÀü(9.0.10 ȤÀº ÀÌÈÄ)À¸·Î ¾÷±×·¹À̵å ÇÏ¿©¾ß ÇÑ´Ù.
°ü·Ã URL CVE-2018-8014,CVE-2018-8019,CVE-2018-8020,CVE-2018-8034 (CVE)
°ü·Ã URL (SecurityFocus)
°ü·Ã URL (ISS)