Apache Tomcat has released a fix for a critical Remote Code Execution (RCE) vulnerability (CVE-2020-9484) which originates from a persistent session.
To exploit this vulnerability, an attacker needs to meet all of the conditions listed below:
- The server is configured to use the PersistenceManager with a FileStore.
- The PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker-provided object to be deserialised.
- The attacker is able to control the contents and name of a file on the server.
- The attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over.
If the above four conditions are satisfied at the same time, an attacker can send a maliciously-constructed request to cause a deserialisation code execution vulnerability.
- Apache Tomcat 10.x < 10.0.0-M5
- Apache Tomcat 9.x < 9.0.35
- Apache Tomcat 8.x < 8.5.55
- Apache Tomcat 7.x < 7.0.104
Users and administrators of Apache Tomcat websites are advised to upgrade to the unaffected version as soon as possible.
Users and administrators who are unable to upgrade can temporarily disable the FileStore function or configure the value of sessionAttributeValueClassNameFilter separately to ensure that only objects with specific attributes can be serialised/deserialised.
More information is available here: