Apache Tomcat Deserialization Remote Code Execution Vulnerability

02/06/2020 10:00:13


Description

Apache Tomcat Introduction
Tomcat is a core project of Jakarta on Apache Software Foundation. It is developed by Apache, Sun and other individuals and companies. Thanks to Sun's participation and support, the latest Servlet and JSP specifications are always reflected in Tomcat, and Tomcat 5 supports the latest Servlet 2.4 and JSP 2.0 standard. Tomcat is a free open source web application. It is also a lightweight application server. The application is widely used in small and medium-sized systems and concurrent access users, and it is the first choice for developing and debugging JSP programs.

Summary
On May 20, 2020, Apache Tomcat officially released a security bulletin that disclosed a vulnerability causing remote code execution through cluster synchronization sessions. When the Tomcat server uses its own session synchronization, an insecure configuration (without using EncryptInterceptor) leads to a deserialization vulnerability. Attackers can use tomcat's own session synchronization through a specially crafted data packet and exploit this vulnerability to launch remote code execution attack.

Analysis
The tomcat server loads data in the org.apache.catalina.tribes.transport.nio.NioReplicationTask.run () method.



In the drainChannel () method, ClusterData is encapsulated into a ChannelMessage type, and in the subsequent process, the messageDataReceived () method is called in turn.







Finally, we enter the GroupChannel.messageReceived () method.



And we call the XByteBuffer.deserialize () method in the messageReceived () method to perform the deserialization and execute the malicious command in the passed serialized data.



Above all, the vulnerability exploitation ends.

Reproduction
We build Tomcat 8.0.5 + jdk7u210 vulnerability environment, configure session synchronization, the configuration method is as follows:

Add the following configuration in the conf/server.xml configuration file,



We use JDK7u21 's Java runtime environment to start tomcat. The malicious serialized data is transferred to the server through the attack script, and the vulnerability is exploited are as follows:



Impacts
Affected Apache Tomcat version:

Apache Software Foundation Tomcat 7.x < 7.0.104
Apache Software Foundation Tomcat 8.x < 8.5.55
Apache Software Foundation Tomcat 9.x < 9.0.35
Apache Software Foundation Tomcat 10.x < 10.0.0-M5

Timeline
May 20, 2020 Apache Tomcat officially released a security bulletin that disclosed a vulnerability that caused remote code execution through cluster synchronization session.
May 21, 2020 Sangfor FarSight Labs reproduced this vulnerability successfully, then released alerts and solutions.

Reference
[1].https://seclists.org/oss-sec/2020/q2/136
[2].https://github.com/threedr3am/tomcat-cluster-session-sync-exp

Solution

Remediation Solution
The latest official version (Apache Software Foundation Tomcat 7.0.104, Apache Software Foundation Tomcat 8.5.55, Apache Software Foundation Tomcat 9.0.35, Apache Software Foundation Tomcat 10.0.0-M5) has fixed this vulnerability. Please visit the following link to download the latest version:

https://tomcat.apache.org/

Temporary Solution
Users can configure PersistenceManager for sessionAttributeValueClassNameFilter to ensure that only the attributes provided by the application are serialized and deserialized.

Sangfor Solution
Sangfor Host Security has updated its detection capability once the vulnerability broke out. Users can upgrade to quickly detect whether the network is affected by this high risk and avoid being used by attackers. Offline users are required to download offline update package for detection capability. Online users can automatically obtain detection capabilities.

For Sangfor NGAF customers, keep NGAF security protection rules up to date.

Sangfor Cyber Command is capable of detecting attacks exploiting this vulnerability and alerting users. Users can correlate Cyber Command to Sangfor NGAF to block attacker IP address.

Sangfor SOC makes sure that Sangfor security specialists are available 24/7 to you for any security issue. Sangfor security experts scan the customer's network environment in the first place to ensure that the customer's host is free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.

Our Social Networks

Global Service Center:

COPYRIGHT © 2000-2020 SANGFOR TECHNOLOGIES. ALL RIGHTS RESERVED.