ID

VAR-202005-1052

CVE

CVE-2020-9484

TITLE

Apache Tomcat Code problem vulnerability

DESCRIPTION

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. The program implements support for Servlet and JavaServer Page (JSP). The following products and versions are affected: Apache Tomcat 10.0.0-M1 to 10.0.0-M4, 9.0.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54, 7.0.0 to Version 7.0.103. A deserialization flaw exists in Apache Tomcat's use of a FileStore. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-9484) The fix for CVE-2020-9484 was incomplete. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. (CVE-2021-25329). For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u2. We recommend that you upgrade your tomcat9 packages. For the detailed security status of tomcat9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat9 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl8R6BwACgkQEMKTtsN8 TjbUrw//fOLw1bfjQwHr4fug5xgGtIjccQvMgZ6r4jVWDNUWGns/n0HBIg7IFANW 1LTBXunNygapGke96Cexs/mimcs47wr9Xj6B9R7935NgF7dbXiDPhX99fmMSu4qE mpt9GmynGSOqr2qt+bHMZSIrZ2rpT/WoDbmnVvK0h30Il7VZ2pMEbzq7gd7sfsbO 0FbQr9kza5d5kvih7DLfq/7plhLouyUhzAab3UUJvI1B3ASD4pfEFDSmBJusHJGG 2CTtrO8IFUyYW0ev4/I2KT6rrFiXccEtFhUlpU09SLpy96FP161UVoHILkPHhfqI 9XILKEf0mKVlDfq5q2TOY5WVl8palc5o/Z3xefO4/wZc7/qNNnyzwcNHl6s14czv REID8Llfbro3/XWHkwLXPNFr1VzYXZSX1XhTwKWPWaH+L5WsUSr5uryqIUvSQ96L tTWv3G7KZDwVlio1XJ1t7ZxMkKqEBjvucShFgaOIw1nVD1IrssMKMz9UJQCd4fH5 RtUakyBzUuPbAhUcunMj23n2slZ9WbCANIGKy56O6R71rYI9mYOG2nF2IuUct/F2 iG3/SLJCe2ghVx2Lgz8/nBhZfPEF5FZ2kPHb9KpjjyZ+vl8ZXH83heaYDlDAknXS bTsyFezxJiAwaa9xozjItZPdIBFP9lG8Txmv1AotH7WV/8dRsOU= =E8Ei -----END PGP SIGNATURE----- . Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link for the update. You must be logged in to download the update. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat JBoss Web Server 3.1 Service Pack 9 security update Advisory ID: RHSA-2020:2483-01 Product: Red Hat JBoss Web Server Advisory URL: https://access.redhat.com/errata/RHSA-2020:2483 Issue date: 2020-06-10 CVE Names: CVE-2020-9484 ==================================================================== 1. Summary: An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and RHEL 7. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat JBoss Web Server 3.1 for RHEL 6 - i386, noarch, x86_64 Red Hat JBoss Web Server 3.1 for RHEL 7 - noarch, x86_64 3. Description: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 9 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es): * tomcat: Apache Tomcat Remote Code Execution via session persistence (CVE-2020-9484) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. For details on how to apply this update, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE 6. Package List: Red Hat JBoss Web Server 3.1 for RHEL 6: Source: tomcat-native-1.2.23-22.redhat_22.ep7.el6.src.rpm tomcat7-7.0.70-40.ep7.el6.src.rpm tomcat8-8.0.36-44.ep7.el6.src.rpm i386: tomcat-native-1.2.23-22.redhat_22.ep7.el6.i686.rpm tomcat-native-debuginfo-1.2.23-22.redhat_22.ep7.el6.i686.rpm noarch: tomcat7-7.0.70-40.ep7.el6.noarch.rpm tomcat7-admin-webapps-7.0.70-40.ep7.el6.noarch.rpm tomcat7-docs-webapp-7.0.70-40.ep7.el6.noarch.rpm tomcat7-el-2.2-api-7.0.70-40.ep7.el6.noarch.rpm tomcat7-javadoc-7.0.70-40.ep7.el6.noarch.rpm tomcat7-jsp-2.2-api-7.0.70-40.ep7.el6.noarch.rpm tomcat7-jsvc-7.0.70-40.ep7.el6.noarch.rpm tomcat7-lib-7.0.70-40.ep7.el6.noarch.rpm tomcat7-log4j-7.0.70-40.ep7.el6.noarch.rpm tomcat7-selinux-7.0.70-40.ep7.el6.noarch.rpm tomcat7-servlet-3.0-api-7.0.70-40.ep7.el6.noarch.rpm tomcat7-webapps-7.0.70-40.ep7.el6.noarch.rpm tomcat8-8.0.36-44.ep7.el6.noarch.rpm tomcat8-admin-webapps-8.0.36-44.ep7.el6.noarch.rpm tomcat8-docs-webapp-8.0.36-44.ep7.el6.noarch.rpm tomcat8-el-2.2-api-8.0.36-44.ep7.el6.noarch.rpm tomcat8-javadoc-8.0.36-44.ep7.el6.noarch.rpm tomcat8-jsp-2.3-api-8.0.36-44.ep7.el6.noarch.rpm tomcat8-jsvc-8.0.36-44.ep7.el6.noarch.rpm tomcat8-lib-8.0.36-44.ep7.el6.noarch.rpm tomcat8-log4j-8.0.36-44.ep7.el6.noarch.rpm tomcat8-selinux-8.0.36-44.ep7.el6.noarch.rpm tomcat8-servlet-3.1-api-8.0.36-44.ep7.el6.noarch.rpm tomcat8-webapps-8.0.36-44.ep7.el6.noarch.rpm x86_64: tomcat-native-1.2.23-22.redhat_22.ep7.el6.x86_64.rpm tomcat-native-debuginfo-1.2.23-22.redhat_22.ep7.el6.x86_64.rpm Red Hat JBoss Web Server 3.1 for RHEL 7: Source: tomcat-native-1.2.23-22.redhat_22.ep7.el7.src.rpm tomcat7-7.0.70-40.ep7.el7.src.rpm tomcat8-8.0.36-44.ep7.el7.src.rpm noarch: tomcat7-7.0.70-40.ep7.el7.noarch.rpm tomcat7-admin-webapps-7.0.70-40.ep7.el7.noarch.rpm tomcat7-docs-webapp-7.0.70-40.ep7.el7.noarch.rpm tomcat7-el-2.2-api-7.0.70-40.ep7.el7.noarch.rpm tomcat7-javadoc-7.0.70-40.ep7.el7.noarch.rpm tomcat7-jsp-2.2-api-7.0.70-40.ep7.el7.noarch.rpm tomcat7-jsvc-7.0.70-40.ep7.el7.noarch.rpm tomcat7-lib-7.0.70-40.ep7.el7.noarch.rpm tomcat7-log4j-7.0.70-40.ep7.el7.noarch.rpm tomcat7-selinux-7.0.70-40.ep7.el7.noarch.rpm tomcat7-servlet-3.0-api-7.0.70-40.ep7.el7.noarch.rpm tomcat7-webapps-7.0.70-40.ep7.el7.noarch.rpm tomcat8-8.0.36-44.ep7.el7.noarch.rpm tomcat8-admin-webapps-8.0.36-44.ep7.el7.noarch.rpm tomcat8-docs-webapp-8.0.36-44.ep7.el7.noarch.rpm tomcat8-el-2.2-api-8.0.36-44.ep7.el7.noarch.rpm tomcat8-javadoc-8.0.36-44.ep7.el7.noarch.rpm tomcat8-jsp-2.3-api-8.0.36-44.ep7.el7.noarch.rpm tomcat8-jsvc-8.0.36-44.ep7.el7.noarch.rpm tomcat8-lib-8.0.36-44.ep7.el7.noarch.rpm tomcat8-log4j-8.0.36-44.ep7.el7.noarch.rpm tomcat8-selinux-8.0.36-44.ep7.el7.noarch.rpm tomcat8-servlet-3.1-api-8.0.36-44.ep7.el7.noarch.rpm tomcat8-webapps-8.0.36-44.ep7.el7.noarch.rpm x86_64: tomcat-native-1.2.23-22.redhat_22.ep7.el7.x86_64.rpm tomcat-native-debuginfo-1.2.23-22.redhat_22.ep7.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2020-9484 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXuDzktzjgjWX9erEAQgi/w//Xj/qCl98tBEg+2ffj+TA0Is16FtznlWO xIScyhvleDsX7AZ/o+Fd/8bqePrC4fPYmrPwe29i6IkcbOK1oQY786YLZsD78KTV 0M4QIR5JserxNzylp29q2R6xQdH0mTLTK1BfYLSoi63Fx/XdFz8dnkWs6PxJLEan mM0ioyWz3rPlA133UMX6gr6LEWNcV36+DeOuDt6xwtPCwFsG9Uh95XV0yYkPyUa+ k6N1bl0Z1gAb8CDA0Bb9ACT/wNIFj2Ops1d5gr0X6uxhhieGRYMKFqyJ7amEcpCW WkiVL3Jr4cCI3JgVLJ+9VwK9ifqiFPT/uFBFqukodeUi4jt5B6MCutWjg5MMlyjk zYJFaOtzpYdN94XLQliHpUnFcwgqNzl7D1aAhianL/SYC7im9embS+os0h8r0y/K zh2FkLbtb+hrxGQKbaCJXlHhXbng6ke1xxnT6JeKIqFnJhl3WOisDSQBVwtJqTjW gtdHIPSUVRaA1Q62xN+ERDAWKcXGh1r/B7RnX8e7mjmVBj8sw33rLJtz8XAIwztI dQDrF6NZsO6sozXsd8tODjgTaXHRqXv4gDp2BqJRCYGf3CjlvCtRcEkgK7WN8B1o Nbgz9YN9a5MRSU/tvViPZ97jtTi376HAxZb8hrEIq43CgKdGdYeD9nGp/PXrFT3Z T4TlPOipQc8=m5kE -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================== Ubuntu Security Notice USN-4448-1 August 04, 2020 tomcat8 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Tomcat. Software Description: - tomcat8: Servlet and JSP engine Details: It was discovered that Tomcat incorrectly validated the payload length in a WebSocket frame. (CVE-2020-13935) It was discovered that Tomcat incorrectly handled HTTP header parsing. In certain environments where Tomcat is located behind a reverse proxy, a remote attacker could possibly use this issue to perform HTTP Reqest Smuggling. (CVE-2020-1935) It was discovered that Tomcat incorrectly handled certain uncommon PersistenceManager with FileStore configurations. (CVE-2020-9484) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 LTS: libtomcat8-java 8.0.32-1ubuntu1.13 tomcat8 8.0.32-1ubuntu1.13 In general, a standard system update will make all the necessary changes. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/tomcat < 7.0.104:7 >= 7.0.104:7 < 8.5.55:8.5 >= 8.5.55:8.5 Description =========== Apache Tomcat improperly handles deserialization of files under specific circumstances. Impact ====== A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround ========== There is no known workaround at this time. Resolution ========== All Apache Tomcat 7.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-7.0.104" All Apache Tomcat 8.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=www-servers/tomcat-8.5.55" References ========== [ 1 ] CVE-2020-9484 https://nvd.nist.gov/vuln/detail/CVE-2020-9484 [ 2 ] Upstream advisory (7) https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104 [ 3 ] Upstream advisory (8.5) https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202006-21 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2020 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5 . The purpose of this text-only errata is to inform you about the security issues fixed in this release. Installation instructions are available from the Fuse 7.11.0 product documentation page: https://access.redhat.com/documentation/en-us/red_hat_fuse/7.11/ 4. Bugs fixed (https://bugzilla.redhat.com/): 1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE 1887810 - CVE-2020-15250 junit4: TemporaryFolder is shared between all users across system which could result in information disclosure 1893070 - CVE-2020-25689 wildfly-core: memory leak in WildFly host-controller in domain mode while not able to reconnect to domain-controller 1893125 - CVE-2020-7020 elasticsearch: not properly preserving security permissions when executing complex queries may lead to information disclosure 1917209 - CVE-2021-24122 tomcat: Information disclosure when using NTFS file system 1930291 - CVE-2020-29582 kotlin: vulnerable Java API was used for temporary file and folder creation which could result in information disclosure 1934032 - CVE-2021-25122 tomcat: Request mix-up with h2c 1934061 - CVE-2021-25329 tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence) 1966735 - CVE-2021-29505 XStream: remote command execution attack by manipulating the processed input stream 1973413 - CVE-2021-33813 jdom: XXE allows attackers to cause a DoS via a crafted HTTP request 1976052 - CVE-2021-3644 wildfly-core: Invalid Sensitivity Classification of Vault Expression 1977064 - CVE-2021-22119 spring-security: Denial-of-Service (DoS) attack via initiation of Authorization Request 1977362 - CVE-2021-3629 undertow: potential security issue in flow control over HTTP/2 may lead to DOS 1981407 - CVE-2021-3642 wildfly-elytron: possible timing attack in ScramServer 1981533 - CVE-2021-33037 tomcat: HTTP request smuggling when used with a reverse proxy 1981544 - CVE-2021-30640 tomcat: JNDI realm authentication weakness 1981895 - CVE-2021-35515 apache-commons-compress: infinite loop when reading a specially crafted 7Z archive 1981900 - CVE-2021-35516 apache-commons-compress: excessive memory allocation when reading a specially crafted 7Z archive 1981903 - CVE-2021-35517 apache-commons-compress: excessive memory allocation when reading a specially crafted TAR archive 1981909 - CVE-2021-36090 apache-commons-compress: excessive memory allocation when reading a specially crafted ZIP archive 2004820 - CVE-2021-41079 tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine 2007557 - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes 2009041 - CVE-2021-38153 Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients 2010378 - CVE-2021-3859 undertow: client side invocation timeout raised when calling over HTTP2 2011190 - CVE-2021-40690 xml-security: XPath Transform abuse allows for information disclosure 2014356 - CVE-2021-42340 tomcat: OutOfMemoryError caused by HTTP upgrade connection leak could lead to DoS 2020583 - CVE-2021-2471 mysql-connector-java: unauthorized access to critical 2031958 - CVE-2021-43797 netty: control chars in header names may lead to HTTP request smuggling 2033560 - CVE-2021-42550 logback: remote code execution through JNDI call from within its configuration file 2034388 - CVE-2021-4178 kubernetes-client: Insecure deserialization in unmarshalYaml method 2034584 - CVE-2021-22096 springframework: malicious input leads to insertion of additional log entries 2039903 - CVE-2021-22569 protobuf-java: potential DoS in the parsing procedure for binary data 2044596 - CVE-2022-23221 h2: Loading of custom classes from remote servers through JNDI 2046279 - CVE-2022-22932 karaf: path traversal flaws 2046282 - CVE-2021-41766 karaf: insecure java deserialization 2047343 - CVE-2022-21363 mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors 2047417 - CVE-2022-23181 tomcat: local privilege escalation vulnerability 2049778 - CVE-2022-23596 junrar: A carefully crafted RAR archive can trigger an infinite loop while extracting 2049783 - CVE-2021-43859 xstream: Injecting highly recursive collections or maps can cause a DoS 2050863 - CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes 2055480 - CVE-2021-22060 springframework: Additional Log Injection in Spring Framework (follow-up to CVE-2021-22096) 2058763 - CVE-2022-24614 metadata-extractor: Out-of-memory when reading a specially crafted JPEG file 2063292 - CVE-2022-26336 poi-scratchpad: A carefully crafted TNEF file can cause an out of memory exception 2063601 - CVE-2022-23913 artemis-commons: Apache ActiveMQ Artemis DoS 2064007 - CVE-2022-26520 postgresql-jdbc: Arbitrary File Write Vulnerability 2064226 - CVE-2022-0084 xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr 2064698 - CVE-2020-36518 jackson-databind: denial of service via a large depth of nested objects 2069414 - CVE-2022-22950 spring-expression: Denial of service via specially crafted SpEL expression 2072339 - CVE-2022-1259 undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629) 2073890 - CVE-2022-1319 undertow: Double AJP response for 400 from EAP 7 results in CPING failures 2075441 - CVE-2022-22968 Spring Framework: Data Binding Rules Vulnerability 2081879 - CVE-2021-22573 google-oauth-client: Token signature not verified 2087214 - CVE-2022-22976 springframework: BCrypt skips salt rounds for work factor of 31 2087272 - CVE-2022-22970 springframework: DoS via data binding to multipartFile or servlet part 2087274 - CVE-2022-22971 springframework: DoS with STOMP over WebSocket 2087606 - CVE-2022-22978 springframework: Authorization Bypass in RegexRequestMatcher 2088523 - CVE-2022-30126 tika-core: Regular Expression Denial of Service in standards extractor 2100654 - CVE-2022-25845 fastjson: autoType shutdown restriction bypass leads to deserialization 5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

local

TYPE

code problem

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Ubuntu

SOURCES

LAST UPDATE DATE

2026-01-23T01:18:55.553000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE