https://bugzilla.redhat.com/show_bug.cgi?id=1838332
Bug ID: 1838332 Summary: CVE-2020-9484 tomcat: Apache Tomcat Remote Code Execution via session persistence Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: jwon@redhat.com CC: aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, alee@redhat.com, almorale@redhat.com, anstephe@redhat.com, asoldano@redhat.com, atangrin@redhat.com, avibelli@redhat.com, bbaranow@redhat.com, bgeorges@redhat.com, bmaxwell@redhat.com, brian.stansberry@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, cmoulliard@redhat.com, coolsvap@gmail.com, csutherl@redhat.com, darran.lofthouse@redhat.com, dbecker@redhat.com, dkreling@redhat.com, dosoudil@redhat.com, drieden@redhat.com, etirelli@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, gzaronik@redhat.com, hhorak@redhat.com, ibek@redhat.com, ikanello@redhat.com, ivan.afonichev@gmail.com, iweiss@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jclere@redhat.com, jjoyce@redhat.com, jochrist@redhat.com, jolee@redhat.com, jorton@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jschatte@redhat.com, jschluet@redhat.com, jstastny@redhat.com, jwon@redhat.com, kbasil@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, kverlaen@redhat.com, kwills@redhat.com, lgao@redhat.com, lhh@redhat.com, lpeer@redhat.com, lthon@redhat.com, mbabacek@redhat.com, mburns@redhat.com, mizdebsk@redhat.com, mkolesni@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, mszynkie@redhat.com, myarboro@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pgallagh@redhat.com, pjindal@redhat.com, pmackay@redhat.com, psotirop@redhat.com, rguimara@redhat.com, rhcs-maint@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, sclewis@redhat.com, scohen@redhat.com, sdaley@redhat.com, slinaber@redhat.com, smaestri@redhat.com, tom.jenkinson@redhat.com, vhalbert@redhat.com, weli@redhat.com Target Milestone: --- Classification: Other
A flaw was found in the Apache Tomcat, where session persistence in using PersistenceManager with a FileStore.
If: a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
It affects the version of Apache Tomcat 10 before 10.0.0-M4, Apache Tomcat 9 before 9.0.34, Tomcat 8 before 8.5.54, and Tomcat 7 before 7.0.103.
Upstream commits:
Tomcat 10.0: https://github.com/apache/tomcat/commit/bb33048e3f9b4f2b70e4da2e6c4e34ca8902... Tomcat 9.0: https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a... Tomcat 8.5: https://github.com/apache/tomcat/commit/ec08af18d0f9ddca3f2d800ef66fe7fd20af... Tomcat 7.0: https://github.com/apache/tomcat/commit/53e30390943c18fca0c9e57dbcc14f1c623c...
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Comment #1 from Ted (Jong Seok) Won jwon@redhat.com --- External References:
http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0... http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Comment #2 from Ted (Jong Seok) Won jwon@redhat.com --- Mitigation:
Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized.
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
Ted (Jong Seok) Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1838333
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
Todd Cullum tcullum@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1838349, 1838350, 1838346, | |1838347, 1838351, 1838348
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Comment #5 from Todd Cullum tcullum@redhat.com --- Statement:
The versions of Apache Tomcat shipped with Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6 are not affected by this flaw.
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Comment #6 from Ted (Jong Seok) Won jwon@redhat.com --- This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Data Grid 6 * Red Hat JBoss Data Virtualization 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version|Tomcat 10.0.0-M5, Tomcat |tomcat 10.0.0-M5, tomcat |9.0.35, Tomcat 8.5.55, |9.0.35, tomcat 8.5.55, |Tomcat 7.0.104 |tomcat 7.0.104
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1838964
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1838964 [Bug 1838964] CVE-2020-9484 tomcat: Apache Tomcat Remote Code Execution via session persistence [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Comment #9 from Tomas Hoger thoger@redhat.com --- Created tomcat tracking bugs for this issue:
Affects: fedora-all [bug 1838964]
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
Bin Hu bihu@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bihu@redhat.com Doc Type|--- |If docs needed, set a value
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Doc Text *updated* by Summer Long slong@redhat.com --- A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. An attacker can exploit the flaw if all of the following are true: * An attacker is able to control the contents and name of a file on the server. * The server is configured to use the PersistenceManager with a FileStore. * The PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker-provided object to be deserialized. * The attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over. If all these conditions are true, the attacker can use a specifically crafted request to trigger Remote Code Execution through deserialization of the file under their control.
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Comment|0 |updated
--- Comment #0 has been edited ---
A flaw was found in the Apache Tomcat, where session persistence in using PersistenceManager with a FileStore.
If: a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
It affects the version of Apache Tomcat 10 before 10.0.0-M4, Apache Tomcat 9 before 9.0.34, Tomcat 8 before 8.5.54, and Tomcat 7 before 7.0.103.
Upstream commits:
Tomcat 10.0: https://github.com/apache/tomcat/commit/bb33048e3f9b4f2b70e4da2e6c4e34ca8902... Tomcat 9.0: https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a... Tomcat 8.5: https://github.com/apache/tomcat/commit/ec08af18d0f9ddca3f2d800ef66fe7fd20af... Tomcat 7.0: https://github.com/apache/tomcat/commit/53e30390943c18fca0c9e57dbcc14f1c623c...
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Comment #15 from Jean-frederic Clere jclere@redhat.com --- Default tomcat configurations are not affected, to be affected you need to have in server.xml +++ <Manager className="org.apache.catalina.session.PersistentManager"> <Store className="org.apache.catalina.session.FileStore" directory="DIRECTORY"/> </Manager> +++
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Doc Text *updated* by RaTasha Tillery-Smith rtillery@redhat.com --- A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. An attacker can exploit the flaw if all of the following are true: * An attacker can control the contents and name of a file on the server. * The server is configured to use the PersistenceManager with a FileStore. * The PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker-provided object to be deserialized. * The attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over. If all these conditions are true, the attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control.
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1840941
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
Summer Long slong@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2020-9484 tomcat: |CVE-2020-9484 tomcat: |Apache Tomcat Remote Code |deserialization flaw in |Execution via session |persistence storage leading |persistence |to RCE
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
yaoli@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |yaoli@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
Ted (Jong Seok) Won jwon@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2020-9484 tomcat: |CVE-2020-9484 tomcat: |deserialization flaw in |deserialization flaw in |persistence storage leading |session persistence storage |to RCE |leading to RCE
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Comment #25 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6
Via RHSA-2020:2483 https://access.redhat.com/errata/RHSA-2020:2483
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2483
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Comment #26 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server
Via RHSA-2020:2487 https://access.redhat.com/errata/RHSA-2020:2487
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2487
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Comment #27 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server 5.3 on RHEL 7 Red Hat JBoss Web Server 5.3 on RHEL 6 Red Hat JBoss Web Server 5.3 on RHEL 8
Via RHSA-2020:2506 https://access.redhat.com/errata/RHSA-2020:2506
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2506
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Comment #28 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server
Via RHSA-2020:2509 https://access.redhat.com/errata/RHSA-2020:2509
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2509
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2020-06-10 17:20:32
--- Comment #29 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-9484
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
Todd Cullum tcullum@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1846135
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Comment #32 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2020:2530 https://access.redhat.com/errata/RHSA-2020:2530
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2530
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Comment #33 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2020:2529 https://access.redhat.com/errata/RHSA-2020:2529
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:2529
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Comment #34 from Todd Cullum tcullum@redhat.com --- Statement:
In Red Hat Enterprise Linux 8, Red Hat Certificate System 10 and Identity Management are using the pki-servlet-engine component, which embeds a vulnerable version of Tomcat. However, in these specific contexts, the prerequisites to the vulnerability are not met. The PersistentManager is not set, and a SecurityManager is used. The use of pki-servlet-engine outside of these contexts is not supported. As a result, the vulnerability can not be triggered in supported configurations of these products. A future update may update Tomcat in pki-servlet-engine.
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHBA-2020:2604
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHBA-2020:2609
https://bugzilla.redhat.com/show_bug.cgi?id=1838332 Bug 1838332 depends on bug 1838964, which changed state.
Bug 1838964 Summary: CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1838964
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHBA-2020:2678
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHBA-2020:2717
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHBA-2020:2716
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHBA-2020:2923
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1860088
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
Guilherme de Almeida Suckevicz gsuckevi@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Comment|36 |updated
--- Comment #36 has been edited ---
RHEL-7.7 backport request at https://redhat.service-now.com/surl.do?n=INC1365481.
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Comment #37 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Runtimes Spring Boot 2.1.15
Via RHSA-2020:3017 https://access.redhat.com/errata/RHSA-2020:3017
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3017
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Comment #39 from Yadnyawalk Tale ytale@redhat.com --- Statement:
In Red Hat Enterprise Linux 8, Red Hat Certificate System 10 and Identity Management are using the pki-servlet-engine component, which embeds a vulnerable version of Tomcat. However, in these specific contexts, the prerequisites to the vulnerability are not met. The PersistentManager is not set, and a SecurityManager is used. The use of pki-servlet-engine outside of these contexts is not supported. As a result, the vulnerability can not be triggered in supported configurations of these products. A future update may update Tomcat in pki-servlet-engine.
Red Hat Satellite do not ship Tomcat and rather use its configuration. The product is not affected because configuration does not make use of PersistanceManager or FileStore. Tomcat updates can be obtain from Red Hat Enterprise Linux (RHEL) RHSA.
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Comment #40 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.9
Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
Joshua Mulliken jmullike@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |pdrozd@redhat.com, | |sthorger@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
Paramvir jindal pjindal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|aboyko@redhat.com, | |pdrozd@redhat.com, | |sthorger@redhat.com |
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
--- Comment #43 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.11
Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
https://bugzilla.redhat.com/show_bug.cgi?id=1838332
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:5532
java-sig-commits@lists.stg.fedoraproject.org