Bug 26657 - tomcat new security issue CVE-2020-9484
Summary: tomcat new security issue CVE-2020-9484
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-21 00:43 CEST by David Walser
Modified: 2020-06-02 14:06 CEST (History)
3 users (show)

See Also:
Source RPM: tomcat-9.0.34-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-05-21 00:43:11 CEST
Apache has issued an advisory today (May 20):
https://www.openwall.com/lists/oss-security/2020/05/20/4

The issue is fixed upstream in 9.0.35:
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35

Mageia 7 is also affected.
David Walser 2020-05-21 00:43:26 CEST

Status comment: (none) => Fixed upstream in 9.0.35
Whiteboard: (none) => MGA7TOO

Comment 1 Nicolas Lécureuil 2020-05-22 01:27:29 CEST
Advisory:

This update fixes CVE-2020-9484
Apache Tomcat Remote Code Execution via session persistence

It updates tomcat to version 9.0.35
References:
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35

rpms:
tomcat-servlet-4.0-api-9.0.35-1.mga7
tomcat-9.0.35-1.mga7
tomcat-el-3.0-api-9.0.35-1.mga7
tomcat-webapps-9.0.35-1.mga7
tomcat-jsp-2.3-api-9.0.35-1.mga7
tomcat-jsvc-9.0.35-1.mga7
tomcat-lib-9.0.35-1.mga7
tomcat-docs-webapp-9.0.35-1.mga7


from:
tomcat-9.0.35-1.mga7

CC: (none) => mageia
Assignee: java => qa-bugs
Whiteboard: MGA7TOO => (none)
Status comment: Fixed upstream in 9.0.35 => (none)

David Walser 2020-05-22 01:39:19 CEST

Version: Cauldron => 7

Comment 2 David Walser 2020-05-22 19:20:41 CEST
Advisory:
========================

Updated tomcat packages fix security vulnerability:

When using Apache Tomcat versions 9.0.0.M1 to 9.0.34, if a) an attacker is able
to control the contents and name of a file on the server; and b) the server is
configured to use the PersistenceManager with a FileStore; and c) the
PersistenceManager is configured with
sessionAttributeValueClassNameFilter="null" (the default unless a
SecurityManager is used) or a sufficiently lax filter to allow the attacker
provided object to be deserialized; and d) the attacker knows the relative file
path from the storage location used by FileStore to the file the attacker has
control over; then, using a specifically crafted request, the attacker will be
able to trigger remote code execution via deserialization of the file under
their control. Note that all of conditions a) to d) must be true for the attack
to succeed (CVE-2020-9484).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35
Comment 3 Herman Viaene 2020-05-24 16:19:08 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
I still had /etc/tomcat/tomcat-users.xml from previous tests, so that one was saved during installation. I re-used it, ref bug 23045.
I used browsing http://localhost:8080/sample and http://localhost:8080/examples and click the links.
All worked exceept one which throws a 404 error.
The page http://localhost:8080 also comes up OK, but trying the manager app also results in:
HTTP Status 404 – Not Found

Type Status Report

Message The requested resource [/manager/html] is not available

Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.

I guess the package tomcat-admin-webapps is missing.

CC: (none) => herman.viaene

Comment 4 Thomas Andrews 2020-06-02 02:31:55 CEST
The package tomcat-admin-webapps-9.0.35-1.mga7 is missing from the list in Comment 1, but I did find it in the testing repo.

CC: (none) => andrewsfarm

Comment 5 Herman Viaene 2020-06-02 14:06:19 CEST
Added thetomcat-admin-webapps-9.0.35-1.mga7 package, that gets me rid of the 404 error.
But I cann't get past the authentication.
My tomcat-users.xml reads at  the end:
<role rolename="tomcat"/>
<role rolename="admin"/>
<role rolename="admin-gui"/> 
<role rolename="admin-script"/>
<role rolename="manager"/> 
<role rolename="manager-gui"/>
<role rolename="manager-script"/> 
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<user name="admin" password="tester" roles="tomcat,admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status"/>
I don't see the problem here.

Note You need to log in before you can comment on or make changes to this bug.