Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

[CVE-2020-9484] Apache Tomcat RCE via PersistentManager

Related Vulnerabilities: CVE-2020-9484  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->
<a href="/fulldisclosure/"><img src="/images/fulldisclosure-logo.png" class="l-logo right" alt="fulldisclosure logo" width="80"></a>
<h2 class="m-list"><a href="/fulldisclosure/">Full Disclosure</a>
mailing list archives</h2>
<!--X-User-Header-End-->
<!--X-TopPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="5"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#6">By Date</a>
<a href="7"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="5"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#6">By Thread</a>
<a href="7"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<form class="nst-search center" action="/search/fulldisclosure">
<input class="nst-search-q" name="q" type="search" placeholder="List Archive Search">
<button class="nst-search-button" title="Search">
<img style="width:100%;aspect-ratio:1/1;" alt="" aria-hidden="true" src="/shared/images/nst-icons.svg#search">
</button>
</form>

</div>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1 class="m-title">[CVE-2020-9484] Apache Tomcat RCE via PersistentManager</h1>
<hr>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->


<em>From</em>: Red Timmy Security &lt;publications () redtimmy com&gt;


<em>Date</em>: Sat, 30 May 2020 15:44:03 +0200


<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<pre style="margin: 0em;">Original post:
<a rel="nofollow" href="https://www.redtimmy.com/java-hacking/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/">https://www.redtimmy.com/java-hacking/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/</a>

</pre><tt>SUMMARY 
</tt><tt>
</tt><pre style="margin: 0em;">Apache Tomcat is affected by a Java deserialization vulnerability, if
the PersistentManager is configured as session manager. Successful
exploitation requires the attacker to be able to upload an arbitrary
</pre><tt>file to the server. 
</tt><tt>
</tt><tt>AFFECTED VERSIONS 
</tt><tt>
</tt><pre style="margin: 0em;">- Apache Tomcat 10.x &lt; 10.0.0-M5
- Apache Tomcat 9.x &lt; 9.0.35
- Apache Tomcat 8.x &lt; 8.5.55
</pre><tt>- Apache Tomcat 7.x &lt; 7.0.104 
</tt><tt>
</tt><tt>VULNERABILITY DETAILS 
</tt><tt>
</tt><pre style="margin: 0em;">The vulnerability exists because the PersistentManager will try to load
session objects from disk. These session objects are stored as
serialized object. The idea is to have the attacker store a malicious
serialized object on disk, and have the PersistentManager load from
</pre><tt>there. For this to work, the following conditions apply: 
</tt><tt>
</tt><pre style="margin: 0em;">        * The PersistentManager is enabled and it's using a FileStore
        * The attacker is able to upload a file with arbitrary content, has
control over the filename and knows the location where it is uploaded
        * There are gadgets in the classpath that can be used for a Java
deserialization attack

Full details on how to exploit can be found in this post:
<a rel="nofollow" href="https://www.redtimmy.com/java-hacking/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/">https://www.redtimmy.com/java-hacking/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/</a>


</pre><tt>VENDOR RESPONSE 
</tt><tt>
</tt><pre style="margin: 0em;">Apache Tomcat has officially released a new version to fix this
vulnerability. It is recommended that affected users upgrade Tomcat to
the unaffected version as soon as possible. Users who are inconvenient
to upgrade can also temporarily disable the FileStore function or
configure the value of sessionAttributeValueClassNameFilte separately to
ensure that only objects with specific attributes can be
serialized/deserialized.

_______________________________________________
Sent through the Full Disclosure mailing list
<a rel="nofollow" href="https://nmap.org/mailman/listinfo/fulldisclosure">https://nmap.org/mailman/listinfo/fulldisclosure</a>
Web Archives &amp; RSS: <a rel="nofollow" href="http://seclists.org/fulldisclosure/">http://seclists.org/fulldisclosure/</a>

</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<div class="nav-bar">
<div class="nav-link">
<a href="5"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="date.html#6">By Date</a>
<a href="7"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
<div class="nav-link">
<a href="5"><img src="/images/left-icon-16x16.png" alt="Previous" width="16" height="16"></a>
<a href="index.html#6">By Thread</a>
<a href="7"><img src="/images/right-icon-16x16.png" alt="Next" width="16" height="16"></a>
</div>
</div>
<h3 class="m-thread">Current thread:</h3>
<ul class="thread">
<li><strong>[CVE-2020-9484] Apache Tomcat RCE via PersistentManager</strong> <em>Red Timmy Security (Jun 02)</em>
</li></ul>


<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started