You are here

Tomcat Session Deserialization Vulnerability

IDs: 
CVE-2020-9484
Keywords: 
Tomcat
Description: 

Tomcat versions from 8.5.0 to 8.5.54 (and 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 7.0.0 to 7.0.103) are vulnerable to RCE when:

  1. an attacker is able to control the contents and name of a file on the server; and
  2. the server uses PersistenceManager as Session Manager, and
  3. PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (default)

No action required for Airlock IAM and WAF

Details:

CVE-2020-9484 - Airlock IAM does not persist Sessions in files (PersistenceManager is not used), neither it is usually possible to write attacker controlled files on the IAM or WAF host.

Resolution: 

No actions required for Airlock WAF or IAM.

Actions required for Back-ends

Verify on your back-end servers that the setup described above does not apply or update to the latest tomcat version if possible: http://tomcat.apache.org/

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution