CVE-2021-25329 Incomplete fix for CVE-2020-9484 (RCE via session persistence)

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0
Apache Tomcat 9.0.0.M1 to 9.0.41
Apache Tomcat 8.5.0 to 8.5.61
Apache Tomcat 7.0.0 to 7.0.107

Description:
The fix for CVE-2020-9484 was incomplete. When using a highly unlikely configuration edge case, the Tomcat instance was still vulnerable to CVE-2020-9484. Note that both the previously published prerequisites for CVE-2020-9484 also apply to this issue.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 10.0.2 or later
- Upgrade to Apache Tomcat 9.0.43 or later
- Upgrade to Apache Tomcat 8.5.63 or later
- Upgrade to Apache Tomcat 7.0.108 or later
- the the previously published non-upgrade mitigations for CVE-2020-9484
     also apply to this issue

Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release votes for those versions did not pass.

Credit:
This issue was identified by Trung Pham of Viettel Cyber Security.

History:
2021-03-01 Original advisory

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
[4] https://tomcat.apache.org/security-7.html







Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply via email to