[ASA-202006-7] tomcat9: arbitrary code execution

Morten Linderud foxboron at archlinux.org
Tue Jun 9 17:44:12 UTC 2020


Arch Linux Security Advisory ASA-202006-7
=========================================

Severity: High
Date    : 2020-06-06
CVE-ID  : CVE-2020-9484
Package : tomcat9
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1171

Summary
=======

The package tomcat9 before version 9.0.35-1 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 9.0.35-1.

# pacman -Syu "tomcat9>=9.0.35-1"

The problem has been fixed upstream in version 9.0.35.

Workaround
==========

None.

Description
===========

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to
9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if: a) an attacker is able
to control the contents and name of a file on the server; and b) the
server is configured to use the PersistenceManager with a FileStore;
and c) the PersistenceManager is configured with
sessionAttributeValueClassNameFilter="null" (the default unless a
SecurityManager is used) or a sufficiently lax filter to allow the
attacker provided object to be deserialized; and d) the attacker knows
the relative file path from the storage location used by FileStore to
the file the attacker has control over; then, using a specifically
crafted request, the attacker will be able to trigger remote code
execution via deserialization of the file under their control.

Note that all of conditions a) to d) must be true for the attack to
succeed.

Impact
======

A remote attacker can execute code on the affected host if they control
the file content and know the path.

References
==========

https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E
https://security.archlinux.org/CVE-2020-9484
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20200609/365eb4f5/attachment.sig>


More information about the arch-security mailing list