Bug 1838332 (CVE-2020-9484) - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE
Summary: CVE-2020-9484 tomcat: deserialization flaw in session persistence storage lea...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-9484
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1838346 1838347 1838348 1838349 1838350 1838351 1838964 1840941 1846135 1860088
Blocks: 1838333
TreeView+ depends on / blocked
 
Reported: 2020-05-20 22:57 UTC by Ted Jongseok Won
Modified: 2022-07-07 14:20 UTC (History)
91 users (show)

Fixed In Version: tomcat 10.0.0-M5, tomcat 9.0.35, tomcat 8.5.55, tomcat 7.0.104
Doc Type: If docs needed, set a value
Doc Text:
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2020-06-10 17:20:32 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2604 0 None None None 2020-06-17 19:31:49 UTC
Red Hat Product Errata RHBA-2020:2609 0 None None None 2020-06-17 19:58:02 UTC
Red Hat Product Errata RHBA-2020:2678 0 None None None 2020-06-23 13:45:47 UTC
Red Hat Product Errata RHBA-2020:2716 0 None None None 2020-06-24 10:24:43 UTC
Red Hat Product Errata RHBA-2020:2717 0 None None None 2020-06-24 10:21:07 UTC
Red Hat Product Errata RHBA-2020:2923 0 None None None 2020-07-14 18:36:58 UTC
Red Hat Product Errata RHSA-2020:2483 0 None None None 2020-06-10 14:51:02 UTC
Red Hat Product Errata RHSA-2020:2487 0 None None None 2020-06-10 15:04:12 UTC
Red Hat Product Errata RHSA-2020:2506 0 None None None 2020-06-10 16:27:09 UTC
Red Hat Product Errata RHSA-2020:2509 0 None None None 2020-06-10 17:05:53 UTC
Red Hat Product Errata RHSA-2020:2529 0 None None None 2020-06-11 09:57:06 UTC
Red Hat Product Errata RHSA-2020:2530 0 None None None 2020-06-11 09:46:17 UTC
Red Hat Product Errata RHSA-2020:3017 0 None None None 2020-07-27 13:09:04 UTC
Red Hat Product Errata RHSA-2021:3140 0 None None None 2021-08-11 18:23:13 UTC
Red Hat Product Errata RHSA-2022:5532 0 None None None 2022-07-07 14:20:01 UTC

Description Ted Jongseok Won 2020-05-20 22:57:12 UTC
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. An attacker can exploit the flaw if all of the following are true:
* An attacker is able to control the contents and name of a file on the server.
* The server is configured to use the PersistenceManager with a FileStore.
* The PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker-provided object to be deserialized.
* The attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over.
If all these conditions are true, the attacker can use a specifically crafted request to trigger Remote Code Execution through deserialization of the file under their control.

This flaw affects the following Tomcat versions: 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54, and 7.0.0 to 7.0.103.

Upstream commits:

Tomcat 10.0: https://github.com/apache/tomcat/commit/bb33048e3f9b4f2b70e4da2e6c4e34ca89023b1b
Tomcat 9.0: https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a2222
Tomcat 8.5: https://github.com/apache/tomcat/commit/ec08af18d0f9ddca3f2d800ef66fe7fd20afef2f
Tomcat 7.0: https://github.com/apache/tomcat/commit/53e30390943c18fca0c9e57dbcc14f1c623cfd06

Comment 2 Ted Jongseok Won 2020-05-20 22:57:29 UTC
Mitigation:

Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized.

Comment 6 Ted Jongseok Won 2020-05-21 04:28:18 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat Data Grid 6
 * Red Hat JBoss Data Virtualization 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 9 Tomas Hoger 2020-05-22 07:41:10 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1838964]

Comment 15 Jean-frederic Clere 2020-05-27 07:56:01 UTC
Default tomcat configurations are not affected, to be affected you need to have in server.xml
+++
    <Manager className="org.apache.catalina.session.PersistentManager">
       <Store className="org.apache.catalina.session.FileStore" directory="DIRECTORY"/>
    </Manager>
+++

Comment 25 errata-xmlrpc 2020-06-10 14:50:58 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7
  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2020:2483 https://access.redhat.com/errata/RHSA-2020:2483

Comment 26 errata-xmlrpc 2020-06-10 15:04:08 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2020:2487 https://access.redhat.com/errata/RHSA-2020:2487

Comment 27 errata-xmlrpc 2020-06-10 16:27:05 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.3 on RHEL 7
  Red Hat JBoss Web Server 5.3 on RHEL 6
  Red Hat JBoss Web Server 5.3 on RHEL 8

Via RHSA-2020:2506 https://access.redhat.com/errata/RHSA-2020:2506

Comment 28 errata-xmlrpc 2020-06-10 17:05:50 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2020:2509 https://access.redhat.com/errata/RHSA-2020:2509

Comment 29 Product Security DevOps Team 2020-06-10 17:20:32 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-9484

Comment 32 errata-xmlrpc 2020-06-11 09:46:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2530 https://access.redhat.com/errata/RHSA-2020:2530

Comment 33 errata-xmlrpc 2020-06-11 09:57:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2020:2529 https://access.redhat.com/errata/RHSA-2020:2529

Comment 37 errata-xmlrpc 2020-07-27 13:09:00 UTC
This issue has been addressed in the following products:

  Red Hat Runtimes Spring Boot 2.1.15

Via RHSA-2020:3017 https://access.redhat.com/errata/RHSA-2020:3017

Comment 39 Yadnyawalk Tale 2020-09-30 06:47:19 UTC
Statement:

In Red Hat Enterprise Linux 8, Red Hat Certificate System 10 and Identity Management are using the pki-servlet-engine component, which embeds a vulnerable version of Tomcat. However, in these specific contexts, the prerequisites to the vulnerability are not met. The PersistentManager is not set, and a SecurityManager is used. The use of pki-servlet-engine outside of these contexts is not supported. As a result, the vulnerability can not be triggered in supported configurations of these products. A future update may update Tomcat in pki-servlet-engine.

Red Hat Satellite do not ship Tomcat and rather use its configuration. The product is not affected because configuration does not make use of PersistanceManager or FileStore. Tomcat updates can be obtain from Red Hat Enterprise Linux (RHEL) RHSA.

Comment 40 errata-xmlrpc 2021-08-11 18:23:07 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140

Comment 43 errata-xmlrpc 2022-07-07 14:19:55 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532


Note You need to log in before you can comment on or make changes to this bug.