| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 30 May 2020 15:44:03 +0200 From: Red Timmy Security <publications@...timmy.com> To: fulldisclosure@...lists.org Subject: [FD] [CVE-2020-9484] Apache Tomcat RCE via PersistentManager Original post: https://www.redtimmy.com/java-hacking/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/ SUMMARY Apache Tomcat is affected by a Java deserialization vulnerability, if the PersistentManager is configured as session manager. Successful exploitation requires the attacker to be able to upload an arbitrary file to the server. AFFECTED VERSIONS - Apache Tomcat 10.x < 10.0.0-M5 - Apache Tomcat 9.x < 9.0.35 - Apache Tomcat 8.x < 8.5.55 - Apache Tomcat 7.x < 7.0.104 VULNERABILITY DETAILS The vulnerability exists because the PersistentManager will try to load session objects from disk. These session objects are stored as serialized object. The idea is to have the attacker store a malicious serialized object on disk, and have the PersistentManager load from there. For this to work, the following conditions apply: * The PersistentManager is enabled and it's using a FileStore * The attacker is able to upload a file with arbitrary content, has control over the filename and knows the location where it is uploaded * There are gadgets in the classpath that can be used for a Java deserialization attack Full details on how to exploit can be found in this post: https://www.redtimmy.com/java-hacking/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/ VENDOR RESPONSE Apache Tomcat has officially released a new version to fix this vulnerability. It is recommended that affected users upgrade Tomcat to the unaffected version as soon as possible. Users who are inconvenient to upgrade can also temporarily disable the FileStore function or configure the value of sessionAttributeValueClassNameFilte separately to ensure that only objects with specific attributes can be serialized/deserialized. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists