When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Tomcat | Apache | 7.0.0 (including) | 7.0.108 (excluding) |
| Tomcat | Apache | 8.5.0 (including) | 8.5.63 (excluding) |
| Tomcat | Apache | 9.0.1 (including) | 9.0.43 (excluding) |
| Tomcat | Apache | 9.0.0-milestone1 (including) | 9.0.0-milestone1 (including) |
| Tomcat | Apache | 9.0.0-milestone10 (including) | 9.0.0-milestone10 (including) |
| Tomcat | Apache | 9.0.0-milestone11 (including) | 9.0.0-milestone11 (including) |
| Tomcat | Apache | 9.0.0-milestone12 (including) | 9.0.0-milestone12 (including) |
| Tomcat | Apache | 9.0.0-milestone13 (including) | 9.0.0-milestone13 (including) |
| Tomcat | Apache | 9.0.0-milestone14 (including) | 9.0.0-milestone14 (including) |
| Tomcat | Apache | 9.0.0-milestone15 (including) | 9.0.0-milestone15 (including) |
| Tomcat | Apache | 9.0.0-milestone16 (including) | 9.0.0-milestone16 (including) |
| Tomcat | Apache | 9.0.0-milestone17 (including) | 9.0.0-milestone17 (including) |
| Tomcat | Apache | 9.0.0-milestone18 (including) | 9.0.0-milestone18 (including) |
| Tomcat | Apache | 9.0.0-milestone19 (including) | 9.0.0-milestone19 (including) |
| Tomcat | Apache | 9.0.0-milestone2 (including) | 9.0.0-milestone2 (including) |
| Tomcat | Apache | 9.0.0-milestone20 (including) | 9.0.0-milestone20 (including) |
| Tomcat | Apache | 9.0.0-milestone21 (including) | 9.0.0-milestone21 (including) |
| Tomcat | Apache | 9.0.0-milestone22 (including) | 9.0.0-milestone22 (including) |
| Tomcat | Apache | 9.0.0-milestone23 (including) | 9.0.0-milestone23 (including) |
| Tomcat | Apache | 9.0.0-milestone24 (including) | 9.0.0-milestone24 (including) |
| Tomcat | Apache | 9.0.0-milestone25 (including) | 9.0.0-milestone25 (including) |
| Tomcat | Apache | 9.0.0-milestone26 (including) | 9.0.0-milestone26 (including) |
| Tomcat | Apache | 9.0.0-milestone27 (including) | 9.0.0-milestone27 (including) |
| Tomcat | Apache | 9.0.0-milestone3 (including) | 9.0.0-milestone3 (including) |
| Tomcat | Apache | 9.0.0-milestone4 (including) | 9.0.0-milestone4 (including) |
| Tomcat | Apache | 9.0.0-milestone5 (including) | 9.0.0-milestone5 (including) |
| Tomcat | Apache | 9.0.0-milestone6 (including) | 9.0.0-milestone6 (including) |
| Tomcat | Apache | 9.0.0-milestone7 (including) | 9.0.0-milestone7 (including) |
| Tomcat | Apache | 9.0.0-milestone8 (including) | 9.0.0-milestone8 (including) |
| Tomcat | Apache | 9.0.0-milestone9 (including) | 9.0.0-milestone9 (including) |
| Tomcat | Apache | 10.0.0-milestone1 (including) | 10.0.0-milestone1 (including) |
| Tomcat | Apache | 10.0.0-milestone2 (including) | 10.0.0-milestone2 (including) |
| Tomcat | Apache | 10.0.0-milestone3 (including) | 10.0.0-milestone3 (including) |
| Tomcat | Apache | 10.0.0-milestone4 (including) | 10.0.0-milestone4 (including) |
| Tomcat7 | Ubuntu | bionic | * |
| Tomcat7 | Ubuntu | esm-apps/bionic | * |
| Tomcat7 | Ubuntu | esm-apps/xenial | * |
| Tomcat7 | Ubuntu | trusty | * |
| Tomcat7 | Ubuntu | trusty/esm | * |
| Tomcat7 | Ubuntu | xenial | * |
| Tomcat8 | Ubuntu | bionic | * |
| Tomcat8 | Ubuntu | esm-apps/bionic | * |
| Tomcat8 | Ubuntu | trusty | * |
| Tomcat8 | Ubuntu | xenial | * |
| Tomcat9 | Ubuntu | bionic | * |
| Tomcat9 | Ubuntu | eoan | * |
| Tomcat9 | Ubuntu | focal | * |
| Tomcat9 | Ubuntu | trusty | * |
| Tomcat9 | Ubuntu | upstream | * |
| Red Hat Enterprise Linux 6 | RedHat | tomcat6-0:6.0.24-115.el6_10 | * |
| Red Hat Enterprise Linux 7 | RedHat | tomcat-0:7.0.76-12.el7_8 | * |
| Red Hat Fuse 7.11 | RedHat | * | |
| Red Hat Fuse 7.9 | RedHat | tomcat | * |
| Red Hat JBoss Web Server 3.1 | RedHat | tomcat | * |
| Red Hat JBoss Web Server 3 for RHEL 6 | RedHat | tomcat7-0:7.0.70-40.ep7.el6 | * |
| Red Hat JBoss Web Server 3 for RHEL 6 | RedHat | tomcat8-0:8.0.36-44.ep7.el6 | * |
| Red Hat JBoss Web Server 3 for RHEL 6 | RedHat | tomcat-native-0:1.2.23-22.redhat_22.ep7.el6 | * |
| Red Hat JBoss Web Server 3 for RHEL 7 | RedHat | tomcat7-0:7.0.70-40.ep7.el7 | * |
| Red Hat JBoss Web Server 3 for RHEL 7 | RedHat | tomcat8-0:8.0.36-44.ep7.el7 | * |
| Red Hat JBoss Web Server 3 for RHEL 7 | RedHat | tomcat-native-0:1.2.23-22.redhat_22.ep7.el7 | * |
| Red Hat JBoss Web Server 5.3 on RHEL 6 | RedHat | jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws | * |
| Red Hat JBoss Web Server 5.3 on RHEL 6 | RedHat | jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws | * |
| Red Hat JBoss Web Server 5.3 on RHEL 7 | RedHat | jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws | * |
| Red Hat JBoss Web Server 5.3 on RHEL 7 | RedHat | jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws | * |
| Red Hat JBoss Web Server 5.3 on RHEL 8 | RedHat | jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws | * |
| Red Hat JBoss Web Server 5.3 on RHEL 8 | RedHat | jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws | * |
| Red Hat JBoss Web Server (JWS) 5.3 | RedHat | tomcat | * |
| Red Hat Runtimes Spring Boot 2.1.15 | RedHat | tomcat | * |
It is often convenient to serialize objects for communication or to save them for later use. However, deserialized data or code can often be modified without using the provided accessor functions if it does not use cryptography to protect itself. Furthermore, any cryptography would still be client-side security – which is a dangerous security assumption. Data that is untrusted can not be trusted to be well-formed. When developers place no restrictions on “gadget chains,” or series of instances and method invocations that can self-execute during the deserialization process (i.e., before the object is returned to the caller), it is sometimes possible for attackers to leverage them to perform unauthorized actions, like generating a shell.