Strix
26.1K

CVE-2020-9484

HIGHCVSS 7/10EPSS 56.64%

Last modified

CVE-2020-9484 is a high-severity vulnerability rated 7/10 on the CVSS scale. When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.. EPSS estimates a 56.64% chance of exploitation in the next 30 days.

Description

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

Metrics

CVSS 3.1
7/10

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
56.64%

98.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
ApacheTomcat>= 7.0.0, < 7.0.108
ApacheTomcat>= 8.5.0, < 8.5.63
ApacheTomcat>= 9.0.1, < 9.0.43
ApacheTomcat9.0.0Milestone1
ApacheTomcat10.0.0Milestone1
DebianDebian Linux8.0
DebianDebian Linux9.0
DebianDebian Linux10.0
OpensuseLeap15.1
FedoraprojectFedora31
FedoraprojectFedora32
CanonicalUbuntu Linux16.04
CanonicalUbuntu Linux20.04
OracleAgile Engineering Data Management6.2.1.0
OracleAgile Plm9.3.3
OracleAgile Plm9.3.5
OracleAgile Plm9.3.6
OracleCommunications Cloud Native Core Binding Support Function1.10.0
OracleCommunications Cloud Native Core Policy1.14.0
OracleCommunications Diameter Signaling Router>= 8.0.0.0, <= 8.4.0.5
OracleCommunications Element Manager>= 8.2.0, <= 8.2.2
OracleCommunications Instant Messaging Server10.0.1.4.0
OracleCommunications Session Report Manager>= 8.2.0, <= 8.2.2
OracleCommunications Session Route Manager>= 8.2.0, <= 8.2.2
OracleDatabase12.2.0.1
OracleDatabase19c
OracleDatabase21c
OracleFmw Platform12.2.1.3.0
OracleFmw Platform12.2.1.4.0
OracleHospitality Guest Access4.2.0
OracleHospitality Guest Access4.2.1
OracleInstantis Enterprisetrack>= 17.1, <= 17.3
OracleManaged File Transfer12.2.1.3.0
OracleManaged File Transfer12.2.1.4.0
OracleMysql Enterprise Monitor<= 8.0.21
OracleRetail Order Broker15.0
OracleSiebel Apps - Marketing<= 21.9
OracleSiebel Ui Framework<= 20.12
OracleTransportation Management6.3.7
OracleWorkload Manager12.2.0.1
OracleWorkload Manager18c
OracleWorkload Manager19c
McafeeEpolicy Orchestrator5.9.0
McafeeEpolicy Orchestrator5.9.1
McafeeEpolicy Orchestrator5.10.0

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2020-9484?
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
How severe is CVE-2020-9484?
CVE-2020-9484 has a CVSS score of 7/10 (HIGH severity). The EPSS model estimates a 56.64% probability of exploitation in the next 30 days.
How do I fix CVE-2020-9484?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-9484?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST