s/PersistenceManager/PersistentManager/g Is that a typo?
Thanks. -ag On Wed, May 20, 2020 at 8:19 AM Mark Thomas <[email protected]> wrote: > > CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence > > Severity: High > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 10.0.0-M1 to 10.0.0-M4 > Apache Tomcat 9.0.0.M1 to 9.0.34 > Apache Tomcat 8.5.0 to 8.5.54 > Apache Tomcat 7.0.0 to 7.0.103 > > Description: > If: > a) an attacker is able to control the contents and name of a file on the > server; and > b) the server is configured to use the PersistenceManager with a > FileStore; and > c) the PersistenceManager is configured with > sessionAttributeValueClassNameFilter="null" (the default unless a > SecurityManager is used) or a sufficiently lax filter to allow the > attacker provided object to be deserialized; and > d) the attacker knows the relative file path from the storage location > used by FileStore to the file the attacker has control over; > then, using a specifically crafted request, the attacker will be able to > trigger remote code execution via deserialization of the file under > their control. Note that all of conditions a) to d) must be true for the > attack to succeed. > > Mitigation: > - Upgrade to Apache Tomcat 10.0.0-M5 or later > - Upgrade to Apache Tomcat 9.0.35 or later > - Upgrade to Apache Tomcat 8.5.55 or later > - Upgrade to Apache Tomcat 7.0.104 or later > Alternatively, users may configure the PersistenceManager with an > appropriate value for sessionAttributeValueClassNameFilter to ensure > that only application provided attributes are serialized and deserialized. > > Credit: > This issue was discovered and reported responsibly to the Apache Tomcat > Security Team by report by jarvis threedr3am of pdd security research > > References: > [1] http://tomcat.apache.org/security-10.html > [2] http://tomcat.apache.org/security-9.html > [3] http://tomcat.apache.org/security-8.html > [4] http://tomcat.apache.org/security-7.html > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
