ASA-202006-7: tomcat9: arbitrary code execution
Arch Linux Security Advisory ASA-202006-7
========================================
Severity: High
Date : 2020-06-06
CVE-ID : CVE-2020-9484
Package : tomcat9
Type : arbitrary code execution
Remote : Yes
Link : https://security.archlinux.org/AVG-1171
Summary
======
The package tomcat9 before version 9.0.35-1 is vulnerable to arbitrary
code execution.
Resolution
=========
Upgrade to 9.0.35-1.
# pacman -Syu "tomcat9>=9.0.35-1"
The problem has been fixed upstream in version 9.0.35.
Workaround
=========
None.
Description
==========
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to
9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if: a) an attacker is able
to control the contents and name of a file on the server; and b) the
server is configured to use the PersistenceManager with a FileStore;
and c) the PersistenceManager is configured with
sessionAttributeValueClassNameFilter="null" (the default unless a
SecurityManager is used) or a sufficiently lax filter to allow the
attacker provided object to be deserialized; and d) the attacker knows
the relative file path from the storage location used by FileStore to
the file the attacker has control over; then, using a specifically
crafted request, the attacker will be able to trigger remote code
execution via deserialization of the file under their control.
Note that all of conditions a) to d) must be true for the attack to
succeed.
Impact
=====
A remote attacker can execute code on the affected host if they control
the file content and know the path.
References
=========
https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E
https://security.archlinux.org/CVE-2020-9484
A tomcat9 security update has been released for Arch Linux to address an arbitrary code execution.