A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. An attacker can exploit the flaw if all of the following are true: * An attacker is able to control the contents and name of a file on the server. * The server is configured to use the PersistenceManager with a FileStore. * The PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker-provided object to be deserialized. * The attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over. If all these conditions are true, the attacker can use a specifically crafted request to trigger Remote Code Execution through deserialization of the file under their control. This flaw affects the following Tomcat versions: 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54, and 7.0.0 to 7.0.103. Upstream commits: Tomcat 10.0: https://github.com/apache/tomcat/commit/bb33048e3f9b4f2b70e4da2e6c4e34ca89023b1b Tomcat 9.0: https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a2222 Tomcat 8.5: https://github.com/apache/tomcat/commit/ec08af18d0f9ddca3f2d800ef66fe7fd20afef2f Tomcat 7.0: https://github.com/apache/tomcat/commit/53e30390943c18fca0c9e57dbcc14f1c623cfd06
External References: http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104
Mitigation: Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized.
This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Data Grid 6 * Red Hat JBoss Data Virtualization 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1838964]
Default tomcat configurations are not affected, to be affected you need to have in server.xml +++ <Manager className="org.apache.catalina.session.PersistentManager"> <Store className="org.apache.catalina.session.FileStore" directory="DIRECTORY"/> </Manager> +++
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2020:2483 https://access.redhat.com/errata/RHSA-2020:2483
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2020:2487 https://access.redhat.com/errata/RHSA-2020:2487
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.3 on RHEL 7 Red Hat JBoss Web Server 5.3 on RHEL 6 Red Hat JBoss Web Server 5.3 on RHEL 8 Via RHSA-2020:2506 https://access.redhat.com/errata/RHSA-2020:2506
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2020:2509 https://access.redhat.com/errata/RHSA-2020:2509
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-9484
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:2530 https://access.redhat.com/errata/RHSA-2020:2530
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2020:2529 https://access.redhat.com/errata/RHSA-2020:2529
This issue has been addressed in the following products: Red Hat Runtimes Spring Boot 2.1.15 Via RHSA-2020:3017 https://access.redhat.com/errata/RHSA-2020:3017
Statement: In Red Hat Enterprise Linux 8, Red Hat Certificate System 10 and Identity Management are using the pki-servlet-engine component, which embeds a vulnerable version of Tomcat. However, in these specific contexts, the prerequisites to the vulnerability are not met. The PersistentManager is not set, and a SecurityManager is used. The use of pki-servlet-engine outside of these contexts is not supported. As a result, the vulnerability can not be triggered in supported configurations of these products. A future update may update Tomcat in pki-servlet-engine. Red Hat Satellite do not ship Tomcat and rather use its configuration. The product is not affected because configuration does not make use of PersistanceManager or FileStore. Tomcat updates can be obtain from Red Hat Enterprise Linux (RHEL) RHSA.
This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532