CVE-2020-1938 ์ทจ์•ฝ์  ๋ถ„์„

๊ฐœ์š” Apache Tomcat 6,7,8,9 ๋ฒ„์ „์—์„œ ๊ธฐ๋ณธ์ ์œผ๋กœ ์ œ๊ณตํ•˜๋˜ AJP(Apache Jserv Protocol) ํ”„๋กœํ† ์ฝœ์˜ ์ทจ์•ฝ์ ์ด ๋ฐœ๊ฒฌ๋˜์—ˆ์Šต๋‹ˆ๋‹ค. ์ด๋Š” 2020๋…„ 01์›” 03์ผ ์ค‘๊ตญ์˜ ๋ณด์•ˆ์—…์ฒด์ธ “์ฐจ์ด ํ‹ด ํ…Œํฌ”์—์„œ ๋ฐœ๊ฒฌํ•˜์˜€์œผ๋ฉฐ CVSS์—์„œ 9.8์ด๋ผ๋Š” ๋†’์€ ์ ์ˆ˜๋ฅผ ๋ฐ›์„ ๋งŒํผ ํŒŒ๊ธ‰๋ ฅ ์ด ๋†’์€ ์ทจ์•ฝ์ ์ž…๋‹ˆ๋‹ค. ํ•ด๋‹น ์ทจ์•ฝ์ ์ด ์กด์žฌํ•  ๊ฒฝ์šฐ AJP ํ”„๋กœํ† ์ฝœ์„ ํ†ตํ•ด /webapps/ROOT ๋””๋ ‰ํ† ๋ฆฌ์˜ ํ•˜์œ„ ํŒŒ์ผ๋“ค์„ ์ฝ์„ ์ˆ˜ ์žˆ์œผ๋ฉฐ ์—…๋กœ๋“œ๊ฐ€ ์กด์žฌํ•  ๊ฒฝ์šฐ “์›๊ฒฉ์ฝ”๋“œ ์‹คํ–‰”๊นŒ์ง€ ๊ฐ€๋Šฅํ•ด์ง‘๋‹ˆ๋‹ค. ์ทจ์•ฝ์ ์ด ๋ฐœํ‘œ๋œ ํ›„ 2020๋…„ 2์›” End of Service ๋œ๋œ 6.x๋ฒ„์ „์„ ์ œ์™ธํ•œ ๋ชจ๋“  ๋ฒ„์ „์˜ ํŒจ์น˜๊ฐ€ ์ด๋ฃจ์–ด์กŒ์œผ๋‚˜ ํ˜„์žฌ๊นŒ์ง€ Github์— ๋‹ค์ˆ˜์˜ POC๊ฐ€ ์กด์žฌํ•˜๊ธฐ ๋•Œ๋ฌธ์— ์ด๋ฅผ ์•…์šฉํ•˜๋Š” ๊ณต๊ฒฉ ๋นˆ๋„๊ฐ€ ๊ณ„์† ์ฆ๊ฐ€ํ•  ๊ฒƒ์œผ๋กœ..

WEB