Bug 26657 - tomcat new security issue CVE-2020-9484
Summary: tomcat new security issue CVE-2020-9484
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
Whiteboard: MGA7-32-OK
Keywords: advisory, validated_update
Depends on:
Reported: 2020-05-21 00:43 CEST by David Walser
Modified: 2020-07-05 13:27 CEST (History)
5 users (show)

See Also:
Source RPM: tomcat-9.0.34-1.mga8.src.rpm
Status comment:


Description David Walser 2020-05-21 00:43:11 CEST
Apache has issued an advisory today (May 20):

The issue is fixed upstream in 9.0.35:

Mageia 7 is also affected.
David Walser 2020-05-21 00:43:26 CEST

Status comment: (none) => Fixed upstream in 9.0.35
Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Lécureuil 2020-05-22 01:27:29 CEST

This update fixes CVE-2020-9484
Apache Tomcat Remote Code Execution via session persistence

It updates tomcat to version 9.0.35



Status comment: Fixed upstream in 9.0.35 => (none)
Assignee: java => qa-bugs
Whiteboard: MGA7TOO => (none)
CC: (none) => mageia

David Walser 2020-05-22 01:39:19 CEST

Version: Cauldron => 7

Comment 2 David Walser 2020-05-22 19:20:41 CEST

Updated tomcat packages fix security vulnerability:

When using Apache Tomcat versions 9.0.0.M1 to 9.0.34, if a) an attacker is able
to control the contents and name of a file on the server; and b) the server is
configured to use the PersistenceManager with a FileStore; and c) the
PersistenceManager is configured with
sessionAttributeValueClassNameFilter="null" (the default unless a
SecurityManager is used) or a sufficiently lax filter to allow the attacker
provided object to be deserialized; and d) the attacker knows the relative file
path from the storage location used by FileStore to the file the attacker has
control over; then, using a specifically crafted request, the attacker will be
able to trigger remote code execution via deserialization of the file under
their control. Note that all of conditions a) to d) must be true for the attack
to succeed (CVE-2020-9484).

Comment 3 Herman Viaene 2020-05-24 16:19:08 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
I still had /etc/tomcat/tomcat-users.xml from previous tests, so that one was saved during installation. I re-used it, ref bug 23045.
I used browsing http://localhost:8080/sample and http://localhost:8080/examples and click the links.
All worked exceept one which throws a 404 error.
The page http://localhost:8080 also comes up OK, but trying the manager app also results in:
HTTP Status 404 – Not Found

Type Status Report

Message The requested resource [/manager/html] is not available

Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.

I guess the package tomcat-admin-webapps is missing.

CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2020-06-02 02:31:55 CEST
The package tomcat-admin-webapps-9.0.35-1.mga7 is missing from the list in Comment 1, but I did find it in the testing repo.

CC: (none) => andrewsfarm

Comment 5 Herman Viaene 2020-06-02 14:06:19 CEST
Added thetomcat-admin-webapps-9.0.35-1.mga7 package, that gets me rid of the 404 error.
But I cann't get past the authentication.
My tomcat-users.xml reads at  the end:
<role rolename="tomcat"/>
<role rolename="admin"/>
<role rolename="admin-gui"/> 
<role rolename="admin-script"/>
<role rolename="manager"/> 
<role rolename="manager-gui"/>
<role rolename="manager-script"/> 
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<user name="admin" password="tester" roles="tomcat,admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status"/>
I don't see the problem here.
Comment 6 David Walser 2020-06-11 17:52:09 CEST
RedHat has issued an advisory for this today (June 11):
Comment 7 Dave Hodgins 2020-06-26 04:08:05 CEST
Used qarepo to get the following packages

To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release (distrib1)")
  apache-commons-daemon          1.0.15       16.mga7       i586    
  apache-commons-daemon-jsvc     1.0.15       16.mga7       i586    
  ecj                            4.10         1.mga7        noarch  
  libapr-devel                   1.7.0        1.mga7        i586    (recommended)
  libtool                        2.4.6        9.mga7        i586    (recommended)
  libtool-base                   2.4.6        9.mga7        i586    (recommended)
  libuuid-devel                  2.33.2       1.mga7        i586    (recommended)
  libxcrypt-devel                4.4.6        1.mga7        i586    (recommended)
  libzlib-devel                  1.2.11       7.mga7        i586    (recommended)
  tomcat-javadoc                 9.0.13       1.mga7        noarch  
  tomcat-taglibs-standard        1.2.5        4.mga7        noarch  
(medium "Core Updates (distrib3)")
  glibc-devel                    2.29         20.mga7       i586    (recommended)
  kernel-userspace-headers       5.6.14       2.mga7        i586    (recommended)
  libopenssl-devel               1.1.0l       1.1.mga7      i586    (recommended)
  tomcat                         9.0.31       1.mga7        noarch  
  tomcat-admin-webapps           9.0.31       1.mga7        noarch  
  tomcat-docs-webapp             9.0.31       1.mga7        noarch  
  tomcat-el-3.0-api              9.0.31       1.mga7        noarch  
  tomcat-jsp-2.3-api             9.0.31       1.mga7        noarch  
  tomcat-jsvc                    9.0.31       1.mga7        noarch  
  tomcat-lib                     9.0.31       1.mga7        noarch  
  tomcat-native                  1.2.23       1.mga7        i586    (recommended)
  tomcat-servlet-4.0-api         9.0.31       1.mga7        noarch  
  tomcat-webapps                 9.0.31       1.mga7        noarch

Edited /etc/tomcat/tomcat-users.xml to uncomment the users and set a password
<role rolename="admin"/>
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<role rolename="manager"/>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<user name="admin" password="qatester" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" />

Started tomcat-jsvc.service and tomcat.service
Logged in to http://localhost:8080/manager/html
Tested various applications such as echo under the samples.

Validating the update.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA7-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 8 Dave Hodgins 2020-06-26 04:16:41 CEST
Oops. Retested after installing
-rw-r--r-- 1 dave dave   89188 Jun 25 21:54 tomcat-9.0.35-1.mga7.noarch.rpm
-rw-r--r-- 1 dave dave   28380 Jun 25 21:54 tomcat-admin-webapps-9.0.35-1.mga7.noarch.rpm
-rw-r--r-- 1 dave dave  720640 Jun 25 21:54 tomcat-docs-webapp-9.0.35-1.mga7.noarch.rpm
-rw-r--r-- 1 dave dave  105716 Jun 25 21:54 tomcat-el-3.0-api-9.0.35-1.mga7.noarch.rpm
-rw-r--r-- 1 dave dave   63768 Jun 25 21:54 tomcat-jsp-2.3-api-9.0.35-1.mga7.noarch.rpm
-rw-r--r-- 1 dave dave    8716 Jun 25 21:54 tomcat-jsvc-9.0.35-1.mga7.noarch.rpm
-rw-r--r-- 1 dave dave 5610132 Jun 25 21:54 tomcat-lib-9.0.35-1.mga7.noarch.rpm
-rw-r--r-- 1 dave dave  286904 Jun 25 21:54 tomcat-servlet-4.0-api-9.0.35-1.mga7.noarch.rpm
-rw-r--r-- 1 dave dave  316948 Jun 25 21:54 tomcat-webapps-9.0.35-1.mga7.noarch.rpm

Still ok.
Nicolas Lécureuil 2020-07-05 12:53:57 CEST

Keywords: (none) => advisory

Comment 9 Mageia Robot 2020-07-05 13:27:50 CEST
An update for this issue has been pushed to the Mageia Updates repository.


Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.