CVE-2021-25329: Apache Tomcat session code execution vulnerability alert

On March 1, the Apache Software Foundation issued a security notice to fix an RCE vulnerability (CVE-2021-25329) via session persistence. This vulnerability is bypassed by the CVE-2020-9484 patch. If Tomcat’s session persistence using an “insecure configuration” will cause attackers to send malicious requests to execute arbitrary code. Successful exploitation of this vulnerability requires that the following four conditions are met at the same time:

  1. The attacker can control the content and file name of the file on the server
  2. FileStore is used in the server PersistenceManager configuration
  3. The sessionAttributeValueClassNameFilter in PersistenceManager is configured as “null”, or the filter is not strict enough, which allows the attacker to provide objects that deserialize data
  4. The attacker knows the relative path from the used FileStore storage location to the attacker’s controllable file

Apache Tomcat 8

Vulnerability Detail

The fix for CVE-2020-9484 was incomplete. When using a highly unlikely configuration edge case, the Tomcat instance was still vulnerable to CVE-2020-9484. Note that both the previously published prerequisites for CVE-2020-9484 also apply to this issue.

Affected version

  • Apache Tomcat 10.0.0-M1 to 10.0.0
  • Apache Tomcat 9.0.0.M1 to 9.0.41
  • Apache Tomcat 8.5.0 to 8.5.61
  • Apache Tomcat 7.0.0 to 7.0.107

Unaffected version

  • Apache Tomcat 10.0.2 or later
  • Apache Tomcat 9.0.43 or later
  • Apache Tomcat 8.5.63 or later
  • Apache Tomcat 7.0.108 or later

Solution

At present, Apache Tomcat has fixed the vulnerability in the latest version, please upgrade the version to the unaffected version as soon as possible.
If the users are temporarily unable to perform the upgrade operation, the following measures can also be used for temporary defense:
It is forbidden to use the Session persistence function FileStore, or configure the value of sessionAttributeValueClassNameFilte separately to ensure that only objects with specific attributes can be serialized and deserialized.