Shulou(Shulou.com)06/01 Report--

CVE-2020-9484: Apache Tomcat Session deserialization code execution vulnerability example analysis, I believe that many inexperienced people do not know what to do, so this article summarizes the causes of the problem and solutions, through this article I hope you can solve this problem.

0x00 vulnerability background

On May 21, 2020, 360CERT Monitoring found that Apache officially issued a risk notice for Apache Tomcat remote code execution, the vulnerability number is CVE-2020-9484, and the official rating of the vulnerability is: high risk.

Apache Tomcat is an open source Java-based Web application container that runs servlet and JSP Web applications.

When Tomcat uses the native session synchronization feature, there is a deserialization vulnerability when using an insecure configuration (without using EncryptInterceptor). Through carefully constructed packets, attackers can attack Tomcat servers that use the native session synchronization feature.

In this regard, 360CERT recommends that the majority of users timely install the latest patch, do a good job of asset self-check / self-test / prevention work, in order to avoid hacker attacks.

0x01 risk rating

360CERT assesses the vulnerability

Assessment methods, threat levels, medium risk impact surfaces, general 0x02 vulnerability details

Exploiting this vulnerability requires the following four conditions:

An attacker can control the contents and names of the server's files.

The server is configured to use PersistenceManager and FileStore.

PersistenceManager is configured with sessionAttributeValueClassNameFilter= "null" (the default, unless SecurityManager is used) or some other very loose filter, and an attacker can deserialize the supplied object.

The attacker knows the relative file path from the storage location used by FileStore to the files controlled by the attacker.

0x03 affects version

Apache Tomcat: 10.0.0-M1 to 10.0.0-M4

Apache Tomcat: 9.0.0.M1 to 9.0.34

Apache Tomcat: 8.5.0 to 8.5.54

Apache Tomcat: 7.0.0 to 7.0.103

0x04 repair recommendations General patching recommendations:

Upgrade to Apache Tomcat 10.0.0-M5 and above

Upgrade to Apache Tomcat 9.0.35 or later

Upgrade to Apache Tomcat 8.5.55 and above

Upgrade to Apache Tomcat 7.0.104 or above

Temporary patching recommendations:

The use of the Session persistence feature FileStore is prohibited.

0x05 related spatial mapping data

Through surveying and mapping the assets of the whole network, it is found that Apache Tomcat is widely used at home and abroad, as shown in the following figure.

0x06 product side solution 360city-level network security monitoring service

The QUAKE asset mapping platform of the security brain monitors such loopholes / events by means of asset mapping technology, and users are asked to contact the relevant product area leaders to obtain the corresponding products.

After reading the above, have you mastered the method of sample analysis of CVE-2020-9484: Apache Tomcat Session deserialization code execution vulnerability? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.