lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sat, 30 May 2020 15:44:03 +0200
From: Red Timmy Security <>
Subject: [FD] [CVE-2020-9484] Apache Tomcat RCE via PersistentManager

Original post:


Apache Tomcat is affected by a Java deserialization vulnerability, if
the PersistentManager is configured as session manager. Successful
exploitation requires the attacker to be able to upload an arbitrary
file to the server. 


- Apache Tomcat 10.x < 10.0.0-M5
- Apache Tomcat 9.x < 9.0.35
- Apache Tomcat 8.x < 8.5.55
- Apache Tomcat 7.x < 7.0.104 


The vulnerability exists because the PersistentManager will try to load
session objects from disk. These session objects are stored as
serialized object. The idea is to have the attacker store a malicious
serialized object on disk, and have the PersistentManager load from
there. For this to work, the following conditions apply: 

 	* The PersistentManager is enabled and it's using a FileStore
 	* The attacker is able to upload a file with arbitrary content, has
control over the filename and knows the location where it is uploaded
 	* There are gadgets in the classpath that can be used for a Java
deserialization attack

Full details on how to exploit can be found in this post:


Apache Tomcat has officially released a new version to fix this
vulnerability. It is recommended that affected users upgrade Tomcat to
the unaffected version as soon as possible. Users who are inconvenient
to upgrade can also temporarily disable the FileStore function or
configure the value of sessionAttributeValueClassNameFilte separately to
ensure that only objects with specific attributes can be

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists