CVE-2020-9484
remote code execution vulnerability in org.apache.tomcat:tomcat-catalina

What is CVE-2020-9484 About?

This vulnerability allows for remote code execution via deserialization in Apache Tomcat under very specific conditions. If an attacker can control a file on the server and several configurations are met, they can exploit a crafted request to execute arbitrary code. Exploiting this is complex due to multiple prerequisites that must align.

Affected Software

Technical Details

The vulnerability occurs when Apache Tomcat, in versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54, and 7.0.0 to 7.0.103, is configured to use PersistenceManager with a FileStore and a 'sessionAttributeValueClassNameFilter' set to 'null' or a lax filter. An attacker must first be able to control the contents and name of a file on the server. Additionally, they need to know the relative file path from the FileStore's storage location to their controlled file. With these conditions met, a specially crafted request can trigger deserialization of the attacker-controlled file, leading to remote code execution.

What is the Impact of CVE-2020-9484?

Successful exploitation may allow attackers to execute arbitrary code on the server, leading to full system compromise, data theft, or denial of service.

What is the Exploitability of CVE-2020-9484?

Exploitation of this vulnerability is considered highly complex due to the numerous prerequisites. An attacker needs specific write access to the server to control file contents and names. The server must be configured with PersistenceManager and FileStore, and crucially, 'sessionAttributeValueClassNameFilter' must be null or sufficiently lax, which is not always the default if a SecurityManager is used. Authentication might be required for file upload, but the code execution itself may not require specific authentication beyond sending the crafted request. Local access to plant the file, or a separate remote code execution vulnerability for remote file planting, would increase the likelihood of exploitation. Remote access is possible, but relies on a preceding condition of placing a malicious file on the server. Knowledge of the specific file path is also a critical constraint.

What are the Known Public Exploits?

What are the Available Fixes for CVE-2020-9484?

Available Upgrade Options

• org.apache.tomcat:tomcat-catalina
  • >7.0.0, <7.0.104 → Upgrade to 7.0.104
• org.apache.tomcat:tomcat-catalina
  • >8.0.0, <8.5.55 → Upgrade to 8.5.55
• org.apache.tomcat:tomcat-catalina
  • >9.0.0, <9.0.35 → Upgrade to 9.0.35
• org.apache.tomcat:tomcat-catalina
  • >10.0.0-M1, <10.0.0-M5 → Upgrade to 10.0.0-M5

Additional Resources

• https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3Cusers.tomcat.apache.org%3E
• https://www.oracle.com/security-alerts/cpujul2020.html
• https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a2222.patch
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c%40%3Cdev.tomcat.apache.org%3E
• https://www.oracle.com/security-alerts/cpujul2022.html
• http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.html
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3Cusers.tomcat.apache.org%3E
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GIQHXENTLYUNOES4LXVNJ2NCUQQRF5VJ

What are Similar Vulnerabilities to CVE-2020-9484?

Similar Vulnerabilities: CVE-2017-9805 , CVE-2015-4852 , CVE-2019-2729 , CVE-2017-3241 , CVE-2016-0638