Vulnerability Description
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Tomcat | >= 7.0.0, < 7.0.108 |
| Debian | Debian Linux | 8.0 |
| Opensuse | Leap | 15.1 |
| Fedoraproject | Fedora | 31 |
| Canonical | Ubuntu Linux | 16.04 |
| Oracle | Agile Engineering Data Management | 6.2.1.0 |
| Oracle | Agile Plm | 9.3.3 |
| Oracle | Communications Cloud Native Core Binding Support Function | 1.10.0 |
| Oracle | Communications Cloud Native Core Policy | 1.14.0 |
| Oracle | Communications Diameter Signaling Router | >= 8.0.0.0, <= 8.4.0.5 |
| Oracle | Communications Element Manager | >= 8.2.0, <= 8.2.2 |
| Oracle | Communications Instant Messaging Server | 10.0.1.4.0 |
| Oracle | Communications Session Report Manager | >= 8.2.0, <= 8.2.2 |
| Oracle | Communications Session Route Manager | >= 8.2.0, <= 8.2.2 |
| Oracle | Database | 12.2.0.1 |
| Oracle | Fmw Platform | 12.2.1.3.0 |
| Oracle | Hospitality Guest Access | 4.2.0 |
| Oracle | Instantis Enterprisetrack | >= 17.1, <= 17.3 |
| Oracle | Managed File Transfer | 12.2.1.3.0 |
| Oracle | Mysql Enterprise Monitor | <= 8.0.21 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.htmlThird Party Advisory
- http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-OfThird Party AdvisoryVDB Entry
- http://seclists.org/fulldisclosure/2020/Jun/6Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2021/03/01/2Mailing ListThird Party Advisory
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332Third Party Advisory
- https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997a
- https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d98
- https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c2
- https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66Mailing ListMitigationPatch
- https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c862662
- https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da
- https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307
- https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e
- https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c1
- https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737
FAQ
What is CVE-2020-9484?
CVE-2020-9484 is a vulnerability with a CVSS score of 7.0 (HIGH). When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; a...
How severe is CVE-2020-9484?
CVE-2020-9484 has been rated HIGH with a CVSS base score of 7.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-9484?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat, Debian Debian Linux, Opensuse Leap, Fedoraproject Fedora, Canonical Ubuntu Linux.