Apache has issued an advisory today (May 20):
The issue is fixed upstream in 9.0.35:
Mageia 7 is also affected.
Fixed upstream in 9.0.35Whiteboard:
This update fixes CVE-2020-9484
Apache Tomcat Remote Code Execution via session persistence
It updates tomcat to version 9.0.35
Fixed upstream in 9.0.35 =>
Updated tomcat packages fix security vulnerability:
When using Apache Tomcat versions 9.0.0.M1 to 9.0.34, if a) an attacker is able
to control the contents and name of a file on the server; and b) the server is
configured to use the PersistenceManager with a FileStore; and c) the
PersistenceManager is configured with
sessionAttributeValueClassNameFilter="null" (the default unless a
SecurityManager is used) or a sufficiently lax filter to allow the attacker
provided object to be deserialized; and d) the attacker knows the relative file
path from the storage location used by FileStore to the file the attacker has
control over; then, using a specifically crafted request, the attacker will be
able to trigger remote code execution via deserialization of the file under
their control. Note that all of conditions a) to d) must be true for the attack
to succeed (CVE-2020-9484).
MGA7-64 Plasma on Lenovo B50
No installation issues.
I still had /etc/tomcat/tomcat-users.xml from previous tests, so that one was saved during installation. I re-used it, ref bug 23045.
I used browsing http://localhost:8080/sample and http://localhost:8080/examples and click the links.
All worked exceept one which throws a 404 error.
The page http://localhost:8080 also comes up OK, but trying the manager app also results in:
HTTP Status 404 – Not Found
Type Status Report
Message The requested resource [/manager/html] is not available
Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.
I guess the package tomcat-admin-webapps is missing.
The package tomcat-admin-webapps-9.0.35-1.mga7 is missing from the list in Comment 1, but I did find it in the testing repo.
Added thetomcat-admin-webapps-9.0.35-1.mga7 package, that gets me rid of the 404 error.
But I cann't get past the authentication.
My tomcat-users.xml reads at the end:
<user name="admin" password="tester" roles="tomcat,admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status"/>
I don't see the problem here.