On May 24, 2020 4:49:50 PM UTC, Stefan Mayr <ste...@mayr-stefan.de> wrote: >Hi, > >Am 20.05.2020 um 17:19 schrieb Mark Thomas: >> CVE-2020-9484 Apache Tomcat Remote Code Execution via session >persistence >> >> Severity: High >> >> Vendor: The Apache Software Foundation >> >> Versions Affected: >> Apache Tomcat 10.0.0-M1 to 10.0.0-M4 >> Apache Tomcat 9.0.0.M1 to 9.0.34 >> Apache Tomcat 8.5.0 to 8.5.54 >> Apache Tomcat 7.0.0 to 7.0.103 >> >> Description: >> If: >> a) an attacker is able to control the contents and name of a file on >the >> server; and >> b) the server is configured to use the PersistenceManager with a >> FileStore; and >> c) the PersistenceManager is configured with >> sessionAttributeValueClassNameFilter="null" (the default unless a >> SecurityManager is used) or a sufficiently lax filter to allow the >> attacker provided object to be deserialized; and >> d) the attacker knows the relative file path from the storage >location >> used by FileStore to the file the attacker has control over; >> then, using a specifically crafted request, the attacker will be able >to >> trigger remote code execution via deserialization of the file under >> their control. Note that all of conditions a) to d) must be true for >the >> attack to succeed. >> > >Assuming an attacker can do (a), (d) and the Tomcat instance is running >with a default configuration (c): is the StandardManager vulnerable or >not (b)?
No. >Also a question about naming: is PersistenceManager the same >PersistentManager as in org.apache.catalina.session.PersistentManager? Yes. >So a vulnerable configuration would need to use something like > ><Manager className="org.apache.catalina.session.PersistentManager"> > <Store className="org.apache.catalina.session.FileStore" /> ></Manager> Yes. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
