Apache has issued an advisory today (May 20): https://www.openwall.com/lists/oss-security/2020/05/20/4 The issue is fixed upstream in 9.0.35: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35 Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 9.0.35Whiteboard: (none) => MGA7TOO
Advisory: This update fixes CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence It updates tomcat to version 9.0.35 References: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35 rpms: tomcat-servlet-4.0-api-9.0.35-1.mga7 tomcat-9.0.35-1.mga7 tomcat-el-3.0-api-9.0.35-1.mga7 tomcat-webapps-9.0.35-1.mga7 tomcat-jsp-2.3-api-9.0.35-1.mga7 tomcat-jsvc-9.0.35-1.mga7 tomcat-lib-9.0.35-1.mga7 tomcat-docs-webapp-9.0.35-1.mga7 from: tomcat-9.0.35-1.mga7
Status comment: Fixed upstream in 9.0.35 => (none)Assignee: java => qa-bugsWhiteboard: MGA7TOO => (none)CC: (none) => mageia
Version: Cauldron => 7
Advisory: ======================== Updated tomcat packages fix security vulnerability: When using Apache Tomcat versions 9.0.0.M1 to 9.0.34, if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed (CVE-2020-9484). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35
MGA7-64 Plasma on Lenovo B50 No installation issues. I still had /etc/tomcat/tomcat-users.xml from previous tests, so that one was saved during installation. I re-used it, ref bug 23045. I used browsing http://localhost:8080/sample and http://localhost:8080/examples and click the links. All worked exceept one which throws a 404 error. The page http://localhost:8080 also comes up OK, but trying the manager app also results in: HTTP Status 404 – Not Found Type Status Report Message The requested resource [/manager/html] is not available Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists. I guess the package tomcat-admin-webapps is missing.
CC: (none) => herman.viaene
The package tomcat-admin-webapps-9.0.35-1.mga7 is missing from the list in Comment 1, but I did find it in the testing repo.
CC: (none) => andrewsfarm
Added thetomcat-admin-webapps-9.0.35-1.mga7 package, that gets me rid of the 404 error. But I cann't get past the authentication. My tomcat-users.xml reads at the end: <role rolename="tomcat"/> <role rolename="admin"/> <role rolename="admin-gui"/> <role rolename="admin-script"/> <role rolename="manager"/> <role rolename="manager-gui"/> <role rolename="manager-script"/> <role rolename="manager-jmx"/> <role rolename="manager-status"/> <user name="admin" password="tester" roles="tomcat,admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status"/> I don't see the problem here.
RedHat has issued an advisory for this today (June 11): https://access.redhat.com/errata/RHSA-2020:2530
Used qarepo to get the following packages tomcat-9.0.35-1.mga7.noarch.rpm tomcat-admin-webapps-9.0.35-1.mga7.noarch.rpm tomcat-docs-webapp-9.0.35-1.mga7.noarch.rpm tomcat-el-3.0-api-9.0.35-1.mga7.noarch.rpm tomcat-jsp-2.3-api-9.0.35-1.mga7.noarch.rpm tomcat-jsvc-9.0.35-1.mga7.noarch.rpm tomcat-lib-9.0.35-1.mga7.noarch.rpm tomcat-servlet-4.0-api-9.0.35-1.mga7.noarch.rpm tomcat-webapps-9.0.35-1.mga7.noarch.rpm To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release (distrib1)") apache-commons-daemon 1.0.15 16.mga7 i586 apache-commons-daemon-jsvc 1.0.15 16.mga7 i586 ecj 4.10 1.mga7 noarch libapr-devel 1.7.0 1.mga7 i586 (recommended) libtool 2.4.6 9.mga7 i586 (recommended) libtool-base 2.4.6 9.mga7 i586 (recommended) libuuid-devel 2.33.2 1.mga7 i586 (recommended) libxcrypt-devel 4.4.6 1.mga7 i586 (recommended) libzlib-devel 1.2.11 7.mga7 i586 (recommended) tomcat-javadoc 9.0.13 1.mga7 noarch tomcat-taglibs-standard 1.2.5 4.mga7 noarch (medium "Core Updates (distrib3)") glibc-devel 2.29 20.mga7 i586 (recommended) kernel-userspace-headers 5.6.14 2.mga7 i586 (recommended) libopenssl-devel 1.1.0l 1.1.mga7 i586 (recommended) tomcat 9.0.31 1.mga7 noarch tomcat-admin-webapps 9.0.31 1.mga7 noarch tomcat-docs-webapp 9.0.31 1.mga7 noarch tomcat-el-3.0-api 9.0.31 1.mga7 noarch tomcat-jsp-2.3-api 9.0.31 1.mga7 noarch tomcat-jsvc 9.0.31 1.mga7 noarch tomcat-lib 9.0.31 1.mga7 noarch tomcat-native 1.2.23 1.mga7 i586 (recommended) tomcat-servlet-4.0-api 9.0.31 1.mga7 noarch tomcat-webapps 9.0.31 1.mga7 noarch Edited /etc/tomcat/tomcat-users.xml to uncomment the users and set a password <role rolename="admin"/> <role rolename="admin-gui"/> <role rolename="admin-script"/> <role rolename="manager"/> <role rolename="manager-gui"/> <role rolename="manager-script"/> <role rolename="manager-jmx"/> <role rolename="manager-status"/> <user name="admin" password="qatester" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> Started tomcat-jsvc.service and tomcat.service Logged in to http://localhost:8080/manager/html Tested various applications such as echo under the samples. Validating the update.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA7-32-OKCC: (none) => davidwhodgins, sysadmin-bugs
Oops. Retested after installing -rw-r--r-- 1 dave dave 89188 Jun 25 21:54 tomcat-9.0.35-1.mga7.noarch.rpm -rw-r--r-- 1 dave dave 28380 Jun 25 21:54 tomcat-admin-webapps-9.0.35-1.mga7.noarch.rpm -rw-r--r-- 1 dave dave 720640 Jun 25 21:54 tomcat-docs-webapp-9.0.35-1.mga7.noarch.rpm -rw-r--r-- 1 dave dave 105716 Jun 25 21:54 tomcat-el-3.0-api-9.0.35-1.mga7.noarch.rpm -rw-r--r-- 1 dave dave 63768 Jun 25 21:54 tomcat-jsp-2.3-api-9.0.35-1.mga7.noarch.rpm -rw-r--r-- 1 dave dave 8716 Jun 25 21:54 tomcat-jsvc-9.0.35-1.mga7.noarch.rpm -rw-r--r-- 1 dave dave 5610132 Jun 25 21:54 tomcat-lib-9.0.35-1.mga7.noarch.rpm -rw-r--r-- 1 dave dave 286904 Jun 25 21:54 tomcat-servlet-4.0-api-9.0.35-1.mga7.noarch.rpm -rw-r--r-- 1 dave dave 316948 Jun 25 21:54 tomcat-webapps-9.0.35-1.mga7.noarch.rpm Still ok.
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0277.html
Status: NEW => RESOLVEDResolution: (none) => FIXED