When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
Weakness
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Tomcat | Apache | 7.0.0 (including) | 7.0.108 (excluding) |
| Tomcat | Apache | 8.5.0 (including) | 8.5.63 (excluding) |
| Tomcat | Apache | 9.0.1 (including) | 9.0.43 (excluding) |
| Tomcat | Apache | 9.0.0-milestone1 (including) | 9.0.0-milestone1 (including) |
| Tomcat | Apache | 9.0.0-milestone10 (including) | 9.0.0-milestone10 (including) |
| Tomcat | Apache | 9.0.0-milestone11 (including) | 9.0.0-milestone11 (including) |
| Tomcat | Apache | 9.0.0-milestone12 (including) | 9.0.0-milestone12 (including) |
| Tomcat | Apache | 9.0.0-milestone13 (including) | 9.0.0-milestone13 (including) |
| Tomcat | Apache | 9.0.0-milestone14 (including) | 9.0.0-milestone14 (including) |
| Tomcat | Apache | 9.0.0-milestone15 (including) | 9.0.0-milestone15 (including) |
| Tomcat | Apache | 9.0.0-milestone16 (including) | 9.0.0-milestone16 (including) |
| Tomcat | Apache | 9.0.0-milestone17 (including) | 9.0.0-milestone17 (including) |
| Tomcat | Apache | 9.0.0-milestone18 (including) | 9.0.0-milestone18 (including) |
| Tomcat | Apache | 9.0.0-milestone19 (including) | 9.0.0-milestone19 (including) |
| Tomcat | Apache | 9.0.0-milestone2 (including) | 9.0.0-milestone2 (including) |
| Tomcat | Apache | 9.0.0-milestone20 (including) | 9.0.0-milestone20 (including) |
| Tomcat | Apache | 9.0.0-milestone21 (including) | 9.0.0-milestone21 (including) |
| Tomcat | Apache | 9.0.0-milestone22 (including) | 9.0.0-milestone22 (including) |
| Tomcat | Apache | 9.0.0-milestone23 (including) | 9.0.0-milestone23 (including) |
| Tomcat | Apache | 9.0.0-milestone24 (including) | 9.0.0-milestone24 (including) |
| Tomcat | Apache | 9.0.0-milestone25 (including) | 9.0.0-milestone25 (including) |
| Tomcat | Apache | 9.0.0-milestone26 (including) | 9.0.0-milestone26 (including) |
| Tomcat | Apache | 9.0.0-milestone27 (including) | 9.0.0-milestone27 (including) |
| Tomcat | Apache | 9.0.0-milestone3 (including) | 9.0.0-milestone3 (including) |
| Tomcat | Apache | 9.0.0-milestone4 (including) | 9.0.0-milestone4 (including) |
| Tomcat | Apache | 9.0.0-milestone5 (including) | 9.0.0-milestone5 (including) |
| Tomcat | Apache | 9.0.0-milestone6 (including) | 9.0.0-milestone6 (including) |
| Tomcat | Apache | 9.0.0-milestone7 (including) | 9.0.0-milestone7 (including) |
| Tomcat | Apache | 9.0.0-milestone8 (including) | 9.0.0-milestone8 (including) |
| Tomcat | Apache | 9.0.0-milestone9 (including) | 9.0.0-milestone9 (including) |
| Tomcat | Apache | 10.0.0-milestone1 (including) | 10.0.0-milestone1 (including) |
| Tomcat | Apache | 10.0.0-milestone2 (including) | 10.0.0-milestone2 (including) |
| Tomcat | Apache | 10.0.0-milestone3 (including) | 10.0.0-milestone3 (including) |
| Tomcat | Apache | 10.0.0-milestone4 (including) | 10.0.0-milestone4 (including) |
| Red Hat Enterprise Linux 6 | RedHat | tomcat6-0:6.0.24-115.el6_10 | * |
| Red Hat Enterprise Linux 7 | RedHat | tomcat-0:7.0.76-12.el7_8 | * |
| Red Hat Fuse 7.11 | RedHat | * | |
| Red Hat Fuse 7.9 | RedHat | tomcat | * |
| Red Hat JBoss Web Server 3.1 | RedHat | tomcat | * |
| Red Hat JBoss Web Server 3 for RHEL 6 | RedHat | tomcat7-0:7.0.70-40.ep7.el6 | * |
| Red Hat JBoss Web Server 3 for RHEL 6 | RedHat | tomcat8-0:8.0.36-44.ep7.el6 | * |
| Red Hat JBoss Web Server 3 for RHEL 6 | RedHat | tomcat-native-0:1.2.23-22.redhat_22.ep7.el6 | * |
| Red Hat JBoss Web Server 3 for RHEL 7 | RedHat | tomcat7-0:7.0.70-40.ep7.el7 | * |
| Red Hat JBoss Web Server 3 for RHEL 7 | RedHat | tomcat8-0:8.0.36-44.ep7.el7 | * |
| Red Hat JBoss Web Server 3 for RHEL 7 | RedHat | tomcat-native-0:1.2.23-22.redhat_22.ep7.el7 | * |
| Red Hat JBoss Web Server 5.3 on RHEL 6 | RedHat | jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws | * |
| Red Hat JBoss Web Server 5.3 on RHEL 6 | RedHat | jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws | * |
| Red Hat JBoss Web Server 5.3 on RHEL 7 | RedHat | jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws | * |
| Red Hat JBoss Web Server 5.3 on RHEL 7 | RedHat | jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws | * |
| Red Hat JBoss Web Server 5.3 on RHEL 8 | RedHat | jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws | * |
| Red Hat JBoss Web Server 5.3 on RHEL 8 | RedHat | jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws | * |
| Red Hat JBoss Web Server (JWS) 5.3 | RedHat | tomcat | * |
| Red Hat Runtimes Spring Boot 2.1.15 | RedHat | tomcat | * |
| Tomcat7 | Ubuntu | bionic | * |
| Tomcat7 | Ubuntu | esm-apps/bionic | * |
| Tomcat7 | Ubuntu | esm-apps/xenial | * |
| Tomcat7 | Ubuntu | esm-infra-legacy/trusty | * |
| Tomcat7 | Ubuntu | trusty | * |
| Tomcat7 | Ubuntu | trusty/esm | * |
| Tomcat7 | Ubuntu | xenial | * |
| Tomcat8 | Ubuntu | bionic | * |
| Tomcat8 | Ubuntu | esm-apps/bionic | * |
| Tomcat8 | Ubuntu | esm-infra/xenial | * |
| Tomcat8 | Ubuntu | trusty | * |
| Tomcat8 | Ubuntu | xenial | * |
| Tomcat9 | Ubuntu | bionic | * |
| Tomcat9 | Ubuntu | eoan | * |
| Tomcat9 | Ubuntu | esm-apps/bionic | * |
| Tomcat9 | Ubuntu | esm-apps/focal | * |
| Tomcat9 | Ubuntu | focal | * |
| Tomcat9 | Ubuntu | trusty | * |
| Tomcat9 | Ubuntu | upstream | * |
Potential Mitigations
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Related Attack Patterns
References
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.html
- http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html
- http://seclists.org/fulldisclosure/2020/Jun/6
- http://www.openwall.com/lists/oss-security/2021/03/01/2
- https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332
- https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307926c1f7cd5400c%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cusers.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/05/msg00020.html
- https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GIQHXENTLYUNOES4LXVNJ2NCUQQRF5VJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WJ7XHKWJWDNWXUJH6UB7CLIW4TWOZ26N/
- https://security.gentoo.org/glsa/202006-21
- https://security.netapp.com/advisory/ntap-20200528-0005/
- https://usn.ubuntu.com/4448-1/
- https://usn.ubuntu.com/4596-1/
- https://www.debian.org/security/2020/dsa-4727
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.html
- http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html
- http://seclists.org/fulldisclosure/2020/Jun/6
- http://www.openwall.com/lists/oss-security/2021/03/01/2
- https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332
- https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307926c1f7cd5400c%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cusers.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/05/msg00020.html
- https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
- https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GIQHXENTLYUNOES4LXVNJ2NCUQQRF5VJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WJ7XHKWJWDNWXUJH6UB7CLIW4TWOZ26N/
- https://security.gentoo.org/glsa/202006-21
- https://security.netapp.com/advisory/ntap-20200528-0005/
- https://usn.ubuntu.com/4448-1/
- https://usn.ubuntu.com/4596-1/
- https://www.debian.org/security/2020/dsa-4727
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html