[ASA-202006-7] tomcat9: arbitrary code execution
foxboron at archlinux.org
Tue Jun 9 17:44:12 UTC 2020
Arch Linux Security Advisory ASA-202006-7
Date : 2020-06-06
CVE-ID : CVE-2020-9484
Package : tomcat9
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1171
The package tomcat9 before version 9.0.35-1 is vulnerable to arbitrary
Upgrade to 9.0.35-1.
# pacman -Syu "tomcat9>=9.0.35-1"
The problem has been fixed upstream in version 9.0.35.
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to
9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if: a) an attacker is able
to control the contents and name of a file on the server; and b) the
server is configured to use the PersistenceManager with a FileStore;
and c) the PersistenceManager is configured with
sessionAttributeValueClassNameFilter="null" (the default unless a
SecurityManager is used) or a sufficiently lax filter to allow the
attacker provided object to be deserialized; and d) the attacker knows
the relative file path from the storage location used by FileStore to
the file the attacker has control over; then, using a specifically
crafted request, the attacker will be able to trigger remote code
execution via deserialization of the file under their control.
Note that all of conditions a) to d) must be true for the attack to
A remote attacker can execute code on the affected host if they control
the file content and know the path.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: not available
More information about the arch-security