Apache Tomcat Cluster Session Deserialization Remote Code Execution Vulnerability CVE-2020-9484

16/06/2020 10:00:12


Apache Tomcat Introduction
Tomcat is a core project of Jakarta on Apache Software Foundation. It is developed by Apache, Sun and other individuals and companies. Thanks to Sun's participation and support, the latest Servlet and JSP specifications are always reflected in Tomcat, and Tomcat 5 supports the latest Servlet 2.4 and JSP 2.0 standard. Tomcat is a free open source web application. It is also a lightweight application Server. The application is widely used in small and medium-sized systems and concurrent access users, and it is the first choice for developing and debugging JSP programs.

On May 20, 2020, Apache Tomcat officially released a security bulletin, which disclosed a vulnerability that caused remote code execution through the Apache Tomcat session persistence. When the Tomcat server uses the session persistence function, insecure configuration will lead to a deserialization vulnerability. Attackers can attack the Tomcat server using the session persistence through specially crafted data packets.

Code Analysis:
Tomcat receives the HTTP request and uses JspServlet for data analysis. When JspFactoryImpl is initialized, RequestFacade.getSession() method is called to obtain the session.

After code enters method Request.doGetSession(), it will call method PersistentManagerBase.findSession() to obtain the session file that is passivated locally.

During obtaining the session file, the program calls the swapIn() method, and calls the FileStore.load() method to load the local session file.

In the process of session activation in the load() method, the StandardSession.readObjectData() method is called to read malicious serialized data in the session file, resulting in code execution.

In conclusion, the vulnerability exploitation process is over.

We built Tomcat 8.0.50 vulnerability environment to configure session persistence. The configuration is as follows:

We add the following configuration in conf/context.xlm file

Then we initialize Tomcat, and upload malicious war package (including commons-collections-3.1.jar package dependency), as well as upload the session file containing the malicious serialized data to the session directory.

Finally, we transfer the malicious request data to the server, and the effect of exploitation is as follows:

Affected Apache Tomcat version:
Apache Software Foundation Tomcat 7.x < 7.0.104
Apache Software Foundation Tomcat 8.x < 8.5.55
Apache Software Foundation Tomcat 9.x < 9.0.35
Apache Software Foundation Tomcat 10.x < 10.0.0-M5

May 20, 2020 Apache Tomcat disclose a deserialization remote code execution vulnerability via session persistence CVE-2020-9484.
May 22, 2020 Sangfor FarSight Labs reproduced this vulnerability successfully, then released alerts and solutions.



Remediation Solution
The latest official version (Apache Software Foundation Tomcat 7.0.104; Apache Software Foundation Tomcat 8.5.55; Apache Software Foundation Tomcat 9.0.35; Apache Software Foundation Tomcat 10.0.0-M5) has fixed this vulnerability. Please visit the following link to download the latest version.

Download address: https://tomcat.apache.org/

Temporary Solution
Disable session persistence

Sangfor Solution
For Sangfor NGAF customers, keep NGAF security protection rules up to date.

Sangfor Cloud WAF has automatically updated its database in the cloud. Those users are already protected from this vulnerability without needing to perform any additional operations.

Sangfor Cyber Command is capable of detecting attacks which exploit this vulnerability and can alert users in real time. Users can correlate Cyber Command to Sangfor NGAF to block an attacker's IP address.

Sangfor SOC makes sure that Sangfor security specialists are available 24/7 for any security issues you may have. Sangfor security experts scan the customer's network environment in the first place to ensure that the customer's host is free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.

Our Social Networks

Global Service Center: