Hi,

Am 20.05.2020 um 17:19 schrieb Mark Thomas:
> CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence
> 
> Severity: High
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0-M4
> Apache Tomcat 9.0.0.M1 to 9.0.34
> Apache Tomcat 8.5.0 to 8.5.54
> Apache Tomcat 7.0.0 to 7.0.103
> 
> Description:
> If:
> a) an attacker is able to control the contents and name of a file on the
>    server; and
> b) the server is configured to use the PersistenceManager with a
>    FileStore; and
> c) the PersistenceManager is configured with
>    sessionAttributeValueClassNameFilter="null" (the default unless a
>    SecurityManager is used) or a sufficiently lax filter to allow the
>    attacker provided object to be deserialized; and
> d) the attacker knows the relative file path from the storage location
>    used by FileStore to the file the attacker has control over;
> then, using a specifically crafted request, the attacker will be able to
> trigger remote code execution via deserialization of the file under
> their control. Note that all of conditions a) to d) must be true for the
> attack to succeed.
> 

Assuming an attacker can do (a), (d) and the Tomcat instance is running
with a default configuration (c): is the StandardManager vulnerable or
not (b)?

Also a question about naming: is PersistenceManager the same
PersistentManager as in org.apache.catalina.session.PersistentManager?
So a vulnerable configuration would need to use something like

<Manager className="org.apache.catalina.session.PersistentManager">
  <Store className="org.apache.catalina.session.FileStore" />
</Manager>

Regards,

  Stefan Mayr


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to