On March 1, 2021, NSFOCUS observed that Apache Software Foundation (ASF) released a security bulletin to announce the fix of a remote code execution vulnerability via session persistence. This vulnerability is due to the bypass of the patch against CVE-2020-9484. If Tomcat’s session persistence function is used, its insecure configuration allows attackers to execute arbitrary code by sending a malicious request. For successful exploitation of this vulnerability, the attacker needs to meet all of the following conditions:
1. The attacker is able to control the contents and name of a file on the server.
2. The server is configured to use the PersistenceManager with a FileStore.
3. The PersistenceManager is configured with sessionAttributeValueClassNameFilter=”null” or a sufficiently lax filter to allow the attacker-provided object to be deserialized.
4. The attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over.
Scope of Impact
- Apache Tomcat 10.0.0-M1—10.0.0
- Apache Tomcat 9.0.0.M1—9.0.41
- Apache Tomcat 8.5.0—8.5.61
- Apache Tomcat 7.0.0—7.0.107
- Apache Tomcat 10.x>=10.0.2
- Apache Tomcat 9.x>=9.0.43
- Apache Tomcat 8.x>=8.5.63
- Apache Tomcat 7.x>=7.0.108
Note: The security issue was fixed in Tomcat 10.0.1, 9.0.42, and 8.5.62, but the release votes for those versions did not pass.
Check for the Vulnerability
1. The name of the installation package downloaded from the official Apache Tomcat website contains the Tomcat version. If users did not change the Tomcat directory name upon decompression, they can determine the current Tomcat version by checking the folder name.
If the decompressed Tomcat directory name was changed or the package was installed with Windows Service Installer, the user can query the current version number by using the version module that comes with the software. Alternatively, users can access the bin directory in the Tomcat installation directory and execute version.bat (version.sh on Linux) to view the current version of Tomcat.
2. Check conf/context.xml or server.xml of a specific project to determine whether the following <Manager> node exists. If it is one of the affected versions and FileStore is used in the PersistenceManager configuration, the application is deemed vulnerable.
Currently, this vulnerability has been fixed in the latest version. If you are affected by this vulnerability, please upgrade your installation as soon as possible. For the links to the downloadable new releases, see the following table.
|Apache Tomcat 10.0.2||https://tomcat.apache.org/download-10.cgi|
|Apache Tomcat 9.0.43||https://tomcat.apache.org/download-90.cgi|
|Apache Tomcat 8.5.63||https://tomcat.apache.org/download-80.cgi|
|Apache Tomcat 7.0.108||https://tomcat.apache.org/download-70.cgi|
Other Protection Measures
If it is impossible to upgrade currently, users can take the following mitigation measures: Disable the session persistence function FileStore or configure the value of sessionAttributeValueClassNameFilte separately to ensure that only objects with specific attributes can be serialized or deserialized.
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyberattacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.