Bug#961209: tomcat9: CVE-2020-9484
Salvatore Bonaccorso
carnil at debian.org
Thu May 21 13:21:08 BST 2020
Source: tomcat9
Version: 9.0.34-1
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 9.0.31-1~deb10u1
Control: found -1 9.0.16-4
Hi,
The following vulnerability was published for tomcat9.
CVE-2020-9484[0]:
| When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to
| 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able
| to control the contents and name of a file on the server; and b) the
| server is configured to use the PersistenceManager with a FileStore;
| and c) the PersistenceManager is configured with
| sessionAttributeValueClassNameFilter="null" (the default unless a
| SecurityManager is used) or a sufficiently lax filter to allow the
| attacker provided object to be deserialized; and d) the attacker knows
| the relative file path from the storage location used by FileStore to
| the file the attacker has control over; then, using a specifically
| crafted request, the attacker will be able to trigger remote code
| execution via deserialization of the file under their control. Note
| that all of conditions a) to d) must be true for the attack to
| succeed.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-9484
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484
[1] https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list