On 27/05/2020 18:37, amarendra godbole wrote: > s/PersistenceManager/PersistentManager/g > > Is that a typo?
Yes. Mark > > Thanks. > > -ag > > On Wed, May 20, 2020 at 8:19 AM Mark Thomas <ma...@apache.org> wrote: >> >> CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence >> >> Severity: High >> >> Vendor: The Apache Software Foundation >> >> Versions Affected: >> Apache Tomcat 10.0.0-M1 to 10.0.0-M4 >> Apache Tomcat 9.0.0.M1 to 9.0.34 >> Apache Tomcat 8.5.0 to 8.5.54 >> Apache Tomcat 7.0.0 to 7.0.103 >> >> Description: >> If: >> a) an attacker is able to control the contents and name of a file on the >> server; and >> b) the server is configured to use the PersistenceManager with a >> FileStore; and >> c) the PersistenceManager is configured with >> sessionAttributeValueClassNameFilter="null" (the default unless a >> SecurityManager is used) or a sufficiently lax filter to allow the >> attacker provided object to be deserialized; and >> d) the attacker knows the relative file path from the storage location >> used by FileStore to the file the attacker has control over; >> then, using a specifically crafted request, the attacker will be able to >> trigger remote code execution via deserialization of the file under >> their control. Note that all of conditions a) to d) must be true for the >> attack to succeed. >> >> Mitigation: >> - Upgrade to Apache Tomcat 10.0.0-M5 or later >> - Upgrade to Apache Tomcat 9.0.35 or later >> - Upgrade to Apache Tomcat 8.5.55 or later >> - Upgrade to Apache Tomcat 7.0.104 or later >> Alternatively, users may configure the PersistenceManager with an >> appropriate value for sessionAttributeValueClassNameFilter to ensure >> that only application provided attributes are serialized and deserialized. >> >> Credit: >> This issue was discovered and reported responsibly to the Apache Tomcat >> Security Team by report by jarvis threedr3am of pdd security research >> >> References: >> [1] http://tomcat.apache.org/security-10.html >> [2] http://tomcat.apache.org/security-9.html >> [3] http://tomcat.apache.org/security-8.html >> [4] http://tomcat.apache.org/security-7.html >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: dev-h...@tomcat.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
