2020-05-21 CVE-2020-9484: Apache Tomcat Remote Code Execution Vulnerability
A new security vulnerability in Tomcat was recently disclosed. An attacker, under certain conditions can trigger a remote code execution on the server.
An attack may occur when all the following conditions are met:
- The attacker is able to control the contents and name of a file on the server.
- The server is configured to use the PersistenceManager with a FileStore.
- The PersistenceManager is configured with sessionAttributeValueClassNameFilter=“null” (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized.
- The attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over.
How to Patch It
We have updated all our solutions to include the latest versions of Tomcat (9.0.35, 8.5.55, and 7.0.104). We suggest you upgrade your Tomcat’s version to the mentioned versions. If, for some reason, you are unable to upgrade, you can configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter.
You can find more information about the security issue in the official notice.