Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence
On May 24, 2020 4:49:50 PM UTC, Stefan Mayr wrote: >Hi, > >Am 20.05.2020 um 17:19 schrieb Mark Thomas: >> CVE-2020-9484 Apache Tomcat Remote Code Execution via session >persistence >> >> Severity: High >> >> Vendor: The Apache Software Foundation >> >> Versions Affected: >> Apache Tomcat 10.0.0-M1 to 10.0.0-M4 >> Apache Tomcat 9.0.0.M1 to 9.0.34 >> Apache Tomcat 8.5.0 to 8.5.54 >> Apache Tomcat 7.0.0 to 7.0.103 >> >> Description: >> If: >> a) an attacker is able to control the contents and name of a file on >the >>server; and >> b) the server is configured to use the PersistenceManager with a >>FileStore; and >> c) the PersistenceManager is configured with >>sessionAttributeValueClassNameFilter="null" (the default unless a >>SecurityManager is used) or a sufficiently lax filter to allow the >>attacker provided object to be deserialized; and >> d) the attacker knows the relative file path from the storage >location >>used by FileStore to the file the attacker has control over; >> then, using a specifically crafted request, the attacker will be able >to >> trigger remote code execution via deserialization of the file under >> their control. Note that all of conditions a) to d) must be true for >the >> attack to succeed. >> > >Assuming an attacker can do (a), (d) and the Tomcat instance is running >with a default configuration (c): is the StandardManager vulnerable or >not (b)? No. >Also a question about naming: is PersistenceManager the same >PersistentManager as in org.apache.catalina.session.PersistentManager? Yes. >So a vulnerable configuration would need to use something like > > > > Yes. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence
Hi, Am 20.05.2020 um 17:19 schrieb Mark Thomas: > CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence > > Severity: High > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 10.0.0-M1 to 10.0.0-M4 > Apache Tomcat 9.0.0.M1 to 9.0.34 > Apache Tomcat 8.5.0 to 8.5.54 > Apache Tomcat 7.0.0 to 7.0.103 > > Description: > If: > a) an attacker is able to control the contents and name of a file on the >server; and > b) the server is configured to use the PersistenceManager with a >FileStore; and > c) the PersistenceManager is configured with >sessionAttributeValueClassNameFilter="null" (the default unless a >SecurityManager is used) or a sufficiently lax filter to allow the >attacker provided object to be deserialized; and > d) the attacker knows the relative file path from the storage location >used by FileStore to the file the attacker has control over; > then, using a specifically crafted request, the attacker will be able to > trigger remote code execution via deserialization of the file under > their control. Note that all of conditions a) to d) must be true for the > attack to succeed. > Assuming an attacker can do (a), (d) and the Tomcat instance is running with a default configuration (c): is the StandardManager vulnerable or not (b)? Also a question about naming: is PersistenceManager the same PersistentManager as in org.apache.catalina.session.PersistentManager? So a vulnerable configuration would need to use something like Regards, Stefan Mayr - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
