Bug 1838332 (CVE-2020-9484)

Summary: CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE
Product: [Other] Security Response Reporter: Ted Jongseok Won <jwon>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, akoufoud, alazarot, alee, almorale, anstephe, asoldano, atangrin, avibelli, bbaranow, bgeorges, bihu, bmaxwell, brian.stansberry, cdewolf, chazlett, cmoulliard, coolsvap, csutherl, darran.lofthouse, dbecker, dkreling, dosoudil, drieden, etirelli, ggaughan, gmalinko, gzaronik, hhorak, ibek, ikanello, ivan.afonichev, iweiss, janstey, java-sig-commits, jawilson, jbalunas, jclere, jjoyce, jlyle, jochrist, jolee, jorton, jpallich, jperkins, jschatte, jschluet, jstastny, jwon, kbasil, krathod, krzysztof.daniel, kverlaen, kwills, lgao, lhh, lpeer, lthon, mbabacek, mburns, mizdebsk, mkolesni, mnovotny, msochure, msvehla, mszynkie, myarboro, nwallace, paradhya, pgallagh, pjindal, pmackay, psotirop, rfreire, rguimara, rhcs-maint, rrajasek, rruss, rstancel, rsvoboda, rsynek, sclewis, scohen, sdaley, slinaber, smaestri, tom.jenkinson, vhalbert, weli, yaoli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 10.0.0-M5, tomcat 9.0.35, tomcat 8.5.55, tomcat 7.0.104 Doc Type: If docs needed, set a value
Doc Text:
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-06-10 17:20:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1838346, 1838347, 1838348, 1838349, 1838350, 1838351, 1838964, 1840941, 1846135, 1860088    
Bug Blocks: 1838333    

Description Ted Jongseok Won 2020-05-20 22:57:12 UTC 
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. An attacker can exploit the flaw if all of the following are true:
* An attacker is able to control the contents and name of a file on the server.
* The server is configured to use the PersistenceManager with a FileStore.
* The PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker-provided object to be deserialized.
* The attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over.
If all these conditions are true, the attacker can use a specifically crafted request to trigger Remote Code Execution through deserialization of the file under their control.

This flaw affects the following Tomcat versions: 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54, and 7.0.0 to 7.0.103.

Upstream commits:

Tomcat 10.0: https://github.com/apache/tomcat/commit/bb33048e3f9b4f2b70e4da2e6c4e34ca89023b1b
Tomcat 9.0: https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a2222
Tomcat 8.5: https://github.com/apache/tomcat/commit/ec08af18d0f9ddca3f2d800ef66fe7fd20afef2f
Tomcat 7.0: https://github.com/apache/tomcat/commit/53e30390943c18fca0c9e57dbcc14f1c623cfd06
Comment 1 Ted Jongseok Won 2020-05-20 22:57:23 UTC 
External References:

http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E
http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104
Comment 2 Ted Jongseok Won 2020-05-20 22:57:29 UTC 
Mitigation:

Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized.
Comment 6 Ted Jongseok Won 2020-05-21 04:28:18 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat Data Grid 6
 * Red Hat JBoss Data Virtualization 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 9 Tomas Hoger 2020-05-22 07:41:10 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1838964]
Comment 15 Jean-frederic Clere 2020-05-27 07:56:01 UTC 
Default tomcat configurations are not affected, to be affected you need to have in server.xml
+++
    <Manager className="org.apache.catalina.session.PersistentManager">
       <Store className="org.apache.catalina.session.FileStore" directory="DIRECTORY"/>
    </Manager>
+++
Comment 25 errata-xmlrpc 2020-06-10 14:50:58 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7
  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2020:2483 https://access.redhat.com/errata/RHSA-2020:2483
Comment 26 errata-xmlrpc 2020-06-10 15:04:08 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2020:2487 https://access.redhat.com/errata/RHSA-2020:2487
Comment 27 errata-xmlrpc 2020-06-10 16:27:05 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.3 on RHEL 7
  Red Hat JBoss Web Server 5.3 on RHEL 6
  Red Hat JBoss Web Server 5.3 on RHEL 8

Via RHSA-2020:2506 https://access.redhat.com/errata/RHSA-2020:2506
Comment 28 errata-xmlrpc 2020-06-10 17:05:50 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2020:2509 https://access.redhat.com/errata/RHSA-2020:2509
Comment 29 Product Security DevOps Team 2020-06-10 17:20:32 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-9484
Comment 32 errata-xmlrpc 2020-06-11 09:46:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2530 https://access.redhat.com/errata/RHSA-2020:2530
Comment 33 errata-xmlrpc 2020-06-11 09:57:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:2529 https://access.redhat.com/errata/RHSA-2020:2529
Comment 37 errata-xmlrpc 2020-07-27 13:09:00 UTC 
This issue has been addressed in the following products:

  Red Hat Runtimes Spring Boot 2.1.15

Via RHSA-2020:3017 https://access.redhat.com/errata/RHSA-2020:3017
Comment 39 Yadnyawalk Tale 2020-09-30 06:47:19 UTC 
Statement:

In Red Hat Enterprise Linux 8, Red Hat Certificate System 10 and Identity Management are using the pki-servlet-engine component, which embeds a vulnerable version of Tomcat. However, in these specific contexts, the prerequisites to the vulnerability are not met. The PersistentManager is not set, and a SecurityManager is used. The use of pki-servlet-engine outside of these contexts is not supported. As a result, the vulnerability can not be triggered in supported configurations of these products. A future update may update Tomcat in pki-servlet-engine.

Red Hat Satellite do not ship Tomcat and rather use its configuration. The product is not affected because configuration does not make use of PersistanceManager or FileStore. Tomcat updates can be obtain from Red Hat Enterprise Linux (RHEL) RHSA.
Comment 40 errata-xmlrpc 2021-08-11 18:23:07 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
Comment 43 errata-xmlrpc 2022-07-07 14:19:55 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532