On March 1, the Apache Software Foundation issued a security notice to fix an RCE vulnerability (CVE-2021-25329) via session persistence. This vulnerability is bypassed by the CVE-2020-9484 patch. If Tomcat’s session persistence using an “insecure configuration” will cause attackers to send malicious requests to execute arbitrary code. Successful exploitation of this vulnerability requires that the following four conditions are met at the same time:
The attacker can control the content and file name of the file on the server
FileStore is used in the server PersistenceManager configuration
The sessionAttributeValueClassNameFilter in PersistenceManager is configured as “null”, or the filter is not strict enough, which allows the attacker to provide objects that deserialize data
- The attacker knows the relative path from the used FileStore storage location to the attacker’s controllable file
The fix for CVE-2020-9484 was incomplete. When using a highly unlikely configuration edge case, the Tomcat instance was still vulnerable to CVE-2020-9484. Note that both the previously published prerequisites for CVE-2020-9484 also apply to this issue.
- Apache Tomcat 10.0.0-M1 to 10.0.0
- Apache Tomcat 9.0.0.M1 to 9.0.41
- Apache Tomcat 8.5.0 to 8.5.61
- Apache Tomcat 7.0.0 to 7.0.107
- Apache Tomcat 10.0.2 or later
- Apache Tomcat 9.0.43 or later
- Apache Tomcat 8.5.63 or later
- Apache Tomcat 7.0.108 or later
The post CVE-2021-25329: Apache Tomcat session code execution vulnerability alert appeared first on InfoTech News.