CVE-2020-9484: High severity IBM Data Risk Manager vulnerability

Published May 20, 2020
·
Updated

A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. An attacker can exploit the flaw if all of the following are true: An attacker is able to control the contents and name of a file on the server. The server is configured to use the PersistenceManager with a FileStore. The PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker-provided object to be deserialized. The attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over. If all these conditions are true, the attacker can use a specifically crafted request to trigger Remote Code Execution through deserialization of the file under their control.

This flaw affects the following Tomcat versions: 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54, and 7.0.0 to 7.0.103.

Upstream commits:

Tomcat 10.0: https://github.com/apache/tomcat/commit/bb33048e3f9b4f2b70e4da2e6c4e34ca89023b1b Tomcat 9.0: https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a2222 Tomcat 8.5: https://github.com/apache/tomcat/commit/ec08af18d0f9ddca3f2d800ef66fe7fd20afef2f Tomcat 7.0: https://github.com/apache/tomcat/commit/53e30390943c18fca0c9e57dbcc14f1c623cfd06

Other sources

A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.

Apache Tomcat could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unsafe deserialization when the server is configured to use the PersistenceManager with a FileStore. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system.

IBM

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

Affected Software

101 affected componentsFixes available
redhat/tomcat6<0:6.0.24-115.el6_10
0:6.0.24-115.el6_10
redhat/tomcat<0:7.0.76-12.el7_8
0:7.0.76-12.el7_8
redhat/tomcat7<0:7.0.70-40.ep7.el6
0:7.0.70-40.ep7.el6
redhat/tomcat8<0:8.0.36-44.ep7.el6
0:8.0.36-44.ep7.el6
redhat/tomcat-native<0:1.2.23-22.redhat_22.ep7.el6
0:1.2.23-22.redhat_22.ep7.el6
redhat/tomcat7<0:7.0.70-40.ep7.el7
0:7.0.70-40.ep7.el7
redhat/tomcat8<0:8.0.36-44.ep7.el7
0:8.0.36-44.ep7.el7
redhat/tomcat-native<0:1.2.23-22.redhat_22.ep7.el7
0:1.2.23-22.redhat_22.ep7.el7
redhat/jws5-tomcat<0:9.0.30-4.redhat_5.1.el6
0:9.0.30-4.redhat_5.1.el6
redhat/jws5-tomcat-native<0:1.2.23-5.redhat_5.el6
0:1.2.23-5.redhat_5.el6
redhat/jws5-tomcat<0:9.0.30-4.redhat_5.1.el7
0:9.0.30-4.redhat_5.1.el7
redhat/jws5-tomcat-native<0:1.2.23-5.redhat_5.el7
0:1.2.23-5.redhat_5.el7
redhat/jws5-tomcat<0:9.0.30-4.redhat_5.1.el8
0:9.0.30-4.redhat_5.1.el8
redhat/jws5-tomcat-native<0:1.2.23-5.redhat_5.el8
0:1.2.23-5.redhat_5.el8
redhat/tomcat<10.0.0
10.0.0
redhat/tomcat<9.0.35
9.0.35
redhat/tomcat<8.5.55
8.5.55
redhat/tomcat<7.0.104
7.0.104
maven/org.apache.tomcat:tomcat-catalina>=7.0.0<7.0.104
7.0.104
maven/org.apache.tomcat:tomcat-catalina>=8.0.0<8.5.55
8.5.55
maven/org.apache.tomcat:tomcat-catalina>=9.0.0<9.0.35
9.0.35
maven/org.apache.tomcat:tomcat-catalina>=10.0.0-M1<=10.0.0-M4
10.0.0-M5
IBM Data Risk Manager<=2.0.6
Apache Tomcat>=7.0.0<7.0.108
Apache Tomcat>=8.5.0<8.5.63
Apache Tomcat>=9.0.1<9.0.43
Apache Tomcat=9.0.0-milestone1
Apache Tomcat=9.0.0-milestone10
Apache Tomcat=9.0.0-milestone11
Apache Tomcat=9.0.0-milestone12
Apache Tomcat=9.0.0-milestone13
Apache Tomcat=9.0.0-milestone14
Apache Tomcat=9.0.0-milestone15
Apache Tomcat=9.0.0-milestone16
Apache Tomcat=9.0.0-milestone17
Apache Tomcat=9.0.0-milestone18
Apache Tomcat=9.0.0-milestone19
Apache Tomcat=9.0.0-milestone2
Apache Tomcat=9.0.0-milestone20
Apache Tomcat=9.0.0-milestone21
Apache Tomcat=9.0.0-milestone22
Apache Tomcat=9.0.0-milestone23
Apache Tomcat=9.0.0-milestone24
Apache Tomcat=9.0.0-milestone25
Apache Tomcat=9.0.0-milestone26
Apache Tomcat=9.0.0-milestone27
Apache Tomcat=9.0.0-milestone3
Apache Tomcat=9.0.0-milestone4
Apache Tomcat=9.0.0-milestone5
Apache Tomcat=9.0.0-milestone6
Apache Tomcat=9.0.0-milestone7
Apache Tomcat=9.0.0-milestone8
Apache Tomcat=9.0.0-milestone9
Apache Tomcat=10.0.0-milestone1
Apache Tomcat=10.0.0-milestone2
Apache Tomcat=10.0.0-milestone3
Apache Tomcat=10.0.0-milestone4
Debian Debian Linux=8.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
openSUSE Leap=15.1
Fedoraproject Fedora=31
Fedoraproject Fedora=32
Canonical Ubuntu Linux=16.04
Canonical Ubuntu Linux=20.04
Oracle Agile Engineering Data Management=6.2.1.0
Oracle Agile PLM=9.3.3
Oracle Agile PLM=9.3.5
Oracle Agile PLM=9.3.6
Oracle Communications Cloud Native Core Binding Support Function=1.10.0
Oracle Communications Cloud Native Core Policy=1.14.0
Oracle Communications Diameter Signaling Router>=8.0.0.0<=8.4.0.5
Oracle Communications Element Manager>=8.2.0<=8.2.2
Oracle Communications Instant Messaging Server=10.0.1.4.0
Oracle Communications Session Report Manager>=8.2.0<=8.2.2
Oracle Communications Session Route Manager>=8.2.0<=8.2.2
Oracle Database=12.2.0.1
Oracle Database=19c
Oracle Database=21c
Oracle Fmw Platform=12.2.1.3.0
Oracle Fmw Platform=12.2.1.4.0
Oracle Hospitality Guest Access=4.2.0
Oracle Hospitality Guest Access=4.2.1
Oracle Instantis Enterprisetrack>=17.1<=17.3
Oracle Managed File Transfer=12.2.1.3.0
Oracle Managed File Transfer=12.2.1.4.0
Oracle MySQL Enterprise Monitor<=8.0.21
Oracle Retail Order Broker=15.0
Oracle Siebel Apps - Marketing<=21.9
Oracle Siebel UI Framework<=20.12
Oracle Transportation Management=6.3.7
Oracle Workload Manager=12.2.0.1
Oracle Workload Manager=18c
Oracle Workload Manager=19c
McAfee ePolicy Orchestrator=5.9.0
McAfee ePolicy Orchestrator=5.9.1
McAfee ePolicy Orchestrator=5.10.0
McAfee ePolicy Orchestrator=5.10.0-update_1
McAfee ePolicy Orchestrator=5.10.0-update_2
McAfee ePolicy Orchestrator=5.10.0-update_3
debian/tomcat9
9.0.43-2~deb11u109.0.43-2~deb11u129.0.70-29.0.95-1

Remediation

Patch Available

https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E

Patch Available

https://www.oracle.com//security-alerts/cpujul2021.html

Patch Available

https://www.oracle.com/security-alerts/cpuApr2021.html

Patch Available

https://www.oracle.com/security-alerts/cpujan2021.html

Patch Available

https://www.oracle.com/security-alerts/cpujan2022.html

Patch Available

https://www.oracle.com/security-alerts/cpujul2020.html

Patch Available

https://www.oracle.com/security-alerts/cpuoct2020.html

Patch Available

https://www.oracle.com/security-alerts/cpuoct2021.html

Patch Available

https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f@%3Ccommits.tomee.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed@%3Cdev.tomcat.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c@%3Cdev.tomcat.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926@%3Cusers.tomcat.apache.org%3E

Information

Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized. For more details about the configuration, refer to the Apache Tomcat 9 Configuration Reference https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html.

Event History

May 20, 2020
CVE Published
12:00 AM
CVE Published
via MITRE·06:26 PM
Data Sourced
via MITRE·06:26 PM
DescriptionWeakness
Data Sourced
via Red Hat·10:57 PM
DescriptionSeverityAffected Software
May 21, 2020
Advisory Published
via GitHub·06:52 PM
Jan 11, 2024
Data Sourced
via Launchpad·11:53 PM
Description
Sep 16, 2024
Data Sourced
via Ubuntu·02:30 AM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2020-9484?

CVE-2020-9484 is rated as important due to a deserialization vulnerability that can be exploited by attackers.

2

How do I fix CVE-2020-9484?

To address CVE-2020-9484, upgrade to Apache Tomcat versions 7.0.104, 8.5.55, 9.0.35, or 10.0.0.

3

What systems are affected by CVE-2020-9484?

CVE-2020-9484 affects Apache Tomcat versions prior to 7.0.104, 8.5.55, 9.0.35, and 10.0.0.

4

What is the impact of exploiting CVE-2020-9484?

Exploiting CVE-2020-9484 can allow an attacker to execute arbitrary code on the server.

5

Is there a workaround for CVE-2020-9484?

A workaround for CVE-2020-9484 is to reconfigure the server to avoid using a PersistenceManager with a FileStore.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203