Content

Table of Contents

Apache Tomcat 10.x vulnerabilities

This page lists all security vulnerabilities fixed in released versions of Apache Tomcat 10.x. Each vulnerability is given a security impact rating by the Apache Tomcat security team — please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Note: Vulnerabilities that are not Tomcat vulnerabilities but have either been incorrectly reported against Tomcat or where Tomcat provides a workaround are listed at the end of this page.

Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the Apache Tomcat version that you are using. For Tomcat 10.0.x alpha those are building.html and BUILDING.txt. Both files can be found in the webapps/docs subdirectory of a binary distribution. You may also want to review the Security Considerations page in the documentation.

If you need help on building or configuring Tomcat or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Tomcat Users mailing list

If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the Tomcat Security Team. Thank you.

11 May 2020 Fixed in Apache Tomcat 10.0.0-M5

High: Remote Code Execution via session persistence CVE-2020-9484

If:

  • an attacker is able to control the contents and name of a file on the server; and
  • the server is configured to use the PersistenceManager with a FileStore; and
  • the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and
  • the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over;

then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.

Note: All of conditions above must be true for the attack to succeed.

As an alternative to upgrading to 10.0.0-M5 or later, users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized.

This was fixed with commit bb33048e.

This issue was reported to the Apache Tomcat Security Team by by jarvis threedr3am of pdd security research on 12 April 2020. The issue was made public on 20 May 2020.

Affects: 10.0.0-M1 to 10.0.0-M4