Debian Bug report logs -
#961209
tomcat9: CVE-2020-9484
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 21 May 2020 12:24:02 UTC
Severity: grave
Tags: security, upstream
Found in versions tomcat9/9.0.31-1~deb10u1, tomcat9/9.0.34-1, tomcat9/9.0.16-4
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
:
Bug#961209
; Package src:tomcat9
.
(Thu, 21 May 2020 12:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
.
(Thu, 21 May 2020 12:24:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: tomcat9
Version: 9.0.34-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 9.0.31-1~deb10u1
Control: found -1 9.0.16-4
Hi,
The following vulnerability was published for tomcat9.
CVE-2020-9484[0]:
| When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to
| 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able
| to control the contents and name of a file on the server; and b) the
| server is configured to use the PersistenceManager with a FileStore;
| and c) the PersistenceManager is configured with
| sessionAttributeValueClassNameFilter="null" (the default unless a
| SecurityManager is used) or a sufficiently lax filter to allow the
| attacker provided object to be deserialized; and d) the attacker knows
| the relative file path from the storage location used by FileStore to
| the file the attacker has control over; then, using a specifically
| crafted request, the attacker will be able to trigger remote code
| execution via deserialization of the file under their control. Note
| that all of conditions a) to d) must be true for the attack to
| succeed.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-9484
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484
[1] https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35
Regards,
Salvatore
Marked as found in versions tomcat9/9.0.31-1~deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Thu, 21 May 2020 12:24:04 GMT) (full text, mbox, link).
Marked as found in versions tomcat9/9.0.16-4.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Thu, 21 May 2020 12:24:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu May 21 13:39:01 2020;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.