Vulnerabilities > CVE-2020-9484 - Deserialization of Untrusted Data vulnerability in multiple products
Attack vector
LOCAL Attack complexity
HIGH Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2020-2530.NASL description From Red Hat Security Advisory 2020:2530 : The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2530 advisory. - tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-13 modified 2020-06-12 plugin id 137387 published 2020-06-12 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137387 title Oracle Linux 7 : tomcat (ELSA-2020-2530) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2020-2530.NASL description The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2530 advisory. - tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-13 modified 2020-06-12 plugin id 137370 published 2020-06-12 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137370 title CentOS 7 : tomcat (CESA-2020:2530) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-1_0-0298_APACHE.NASL description An update of the apache package has been released. last seen 2020-06-12 modified 2020-06-10 plugin id 137317 published 2020-06-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137317 title Photon OS 1.0: Apache PHSA-2020-1.0-0298 NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-711.NASL description This update for tomcat fixes the following issues : - Update to Tomcat 9.0.35. See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#T omcat_9.0.35_(markt) - CVE-2020-9484 (bsc#1171928) Apache Tomcat Remote Code Execution via session persistence If an attacker was able to control the contents and name of a file on a server configured to use the PersistenceManager, then the attacker could have triggered a remote code execution via deserialization of the file under their control. This update was imported from the SUSE:SLE-15-SP1:Update update project. last seen 2020-06-03 modified 2020-05-26 plugin id 136889 published 2020-05-26 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136889 title openSUSE Security Update : tomcat (openSUSE-2020-711) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-2506.NASL description The remote Redhat Enterprise Linux 6 / 7 / 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2506 advisory. - tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-12 modified 2020-06-10 plugin id 137324 published 2020-06-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137324 title RHEL 6 / 7 / 8 : Red Hat JBoss Web Server 5.3.1 (RHSA-2020:2506) NASL family Web Servers NASL id TOMCAT_8_5_55.NASL description The version of Tomcat installed on the remote host is prior to 7.0.104. It is, therefore, affected by a remote code execution vulnerability as referenced in the fixed_in_apache_tomcat_8.5.55_security-8 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-10 modified 2020-05-22 plugin id 136807 published 2020-05-22 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136807 title Apache Tomcat 8.0.0 < 8.5.55 Remote Code Execution NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-2483.NASL description The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2483 advisory. - tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-12 modified 2020-06-10 plugin id 137308 published 2020-06-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137308 title RHEL 6 / 7 : Red Hat JBoss Web Server 3.1 Service Pack 9 (RHSA-2020:2483) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-2_0-0248_APACHE.NASL description An update of the apache package has been released. last seen 2020-06-10 modified 2020-06-06 plugin id 137197 published 2020-06-06 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137197 title Photon OS 2.0: Apache PHSA-2020-2.0-0248 NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2217.NASL description It was discovered that there was a potential remote code execution via deserialization in tomcat7, a server for HTTP and Java last seen 2020-06-03 modified 2020-05-26 plugin id 136833 published 2020-05-26 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136833 title Debian DLA-2217-1 : tomcat7 security update NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-2529.NASL description The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2529 advisory. - tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-12 modified 2020-06-11 plugin id 137359 published 2020-06-11 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137359 title RHEL 6 : tomcat6 (RHSA-2020:2529) NASL family Web Servers NASL id TOMCAT_9_0_35.NASL description The version of Tomcat installed on the remote host is prior to 9.0.35. It is, therefore, affected by a remote code execution vulnerability as referenced in the fixed_in_apache_tomcat_9.0.35_security-9 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-10 modified 2020-05-22 plugin id 136806 published 2020-05-22 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136806 title Apache Tomcat 9.0.0 < 9.0.35 Remote Code Execution NASL family Web Servers NASL id TOMCAT_7_0_104.NASL description The version of Tomcat installed on the remote host is prior to 7.0.104. It is, therefore, affected by a remote code execution vulnerability as referenced in the fixed_in_apache_tomcat_7.0.104_security-7 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-10 modified 2020-05-22 plugin id 136770 published 2020-05-22 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136770 title Apache Tomcat 7.0.0 < 7.0.104 Remote Code Execution NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-2530.NASL description The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2530 advisory. - tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-12 modified 2020-06-11 plugin id 137360 published 2020-06-11 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137360 title RHEL 7 : tomcat (RHSA-2020:2530) NASL family Scientific Linux Local Security Checks NASL id SL_20200611_TOMCAT_ON_SL7_X.NASL description Security Fix(es) : - tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484) last seen 2020-06-13 modified 2020-06-12 plugin id 137390 published 2020-06-12 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137390 title Scientific Linux Security Update : tomcat on SL7.x (noarch) (20200611) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_676CA4869C1E11EA8B5EB42E99A1B9C3.NASL description The Apache Software Foundation reports : Under certain circumstances an attacker will be able to trigger remote code execution via deserialization of the file under their control last seen 2020-06-03 modified 2020-05-26 plugin id 136851 published 2020-05-26 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136851 title FreeBSD : Apache Tomcat Remote Code Execution via session persistence (676ca486-9c1e-11ea-8b5e-b42e99a1b9c3) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-3_0-0100_APACHE.NASL description An update of the apache package has been released. last seen 2020-06-10 modified 2020-06-06 plugin id 137189 published 2020-06-06 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/137189 title Photon OS 3.0: Apache PHSA-2020-3.0-0100 NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2209.NASL description Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. WARNING: The fix for CVE-2020-1938 may disrupt services that rely on a working AJP configuration. The option secretRequired defaults to true now. You should define a secret in your server.xml or you can revert back by setting secretRequired to false. CVE-2019-17563 When using FORM authentication with Apache Tomcat there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. CVE-2020-1935 In Apache Tomcat the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. CVE-2020-1938 When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. Previously Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. . Note that Debian already disabled the AJP connector by default. Mitigation is only required if the AJP port was made accessible to untrusted users. CVE-2020-9484 When using Apache Tomcat and an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter= last seen 2020-06-06 modified 2020-05-29 plugin id 136951 published 2020-05-29 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136951 title Debian DLA-2209-1 : tomcat8 security update
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/05/msg00020.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.html
- https://security.netapp.com/advisory/ntap-20200528-0005/
- https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
- http://seclists.org/fulldisclosure/2020/Jun/6
- http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html
- https://security.gentoo.org/glsa/202006-21
- https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.debian.org/security/2020/dsa-4727
- https://usn.ubuntu.com/4448-1/
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://usn.ubuntu.com/4596-1/
- https://www.oracle.com/security-alerts/cpujan2021.html
- http://www.openwall.com/lists/oss-security/2021/03/01/2
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2%40%3Cdev.tomcat.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WJ7XHKWJWDNWXUJH6UB7CLIW4TWOZ26N/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GIQHXENTLYUNOES4LXVNJ2NCUQQRF5VJ/
- https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307926c1f7cd5400c%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c%40%3Cdev.tomcat.apache.org%3E