Hi, Am 20.05.2020 um 17:19 schrieb Mark Thomas: > CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence > > Severity: High > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 10.0.0-M1 to 10.0.0-M4 > Apache Tomcat 9.0.0.M1 to 9.0.34 > Apache Tomcat 8.5.0 to 8.5.54 > Apache Tomcat 7.0.0 to 7.0.103 > > Description: > If: > a) an attacker is able to control the contents and name of a file on the > server; and > b) the server is configured to use the PersistenceManager with a > FileStore; and > c) the PersistenceManager is configured with > sessionAttributeValueClassNameFilter="null" (the default unless a > SecurityManager is used) or a sufficiently lax filter to allow the > attacker provided object to be deserialized; and > d) the attacker knows the relative file path from the storage location > used by FileStore to the file the attacker has control over; > then, using a specifically crafted request, the attacker will be able to > trigger remote code execution via deserialization of the file under > their control. Note that all of conditions a) to d) must be true for the > attack to succeed. >
Assuming an attacker can do (a), (d) and the Tomcat instance is running with a default configuration (c): is the StandardManager vulnerable or not (b)? Also a question about naming: is PersistenceManager the same PersistentManager as in org.apache.catalina.session.PersistentManager? So a vulnerable configuration would need to use something like <Manager className="org.apache.catalina.session.PersistentManager"> <Store className="org.apache.catalina.session.FileStore" /> </Manager> Regards, Stefan Mayr --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org