### Critical Vulnerability Information #### Vulnerability ID CVE-2020-9484 #### Vulnerability Type Apache Tomcat Remote Code Execution via session persistence #### Release Date May 20, 2020 #### Vulnerability Description An attacker can trigger remote code execution if the following conditions are met: 1. The attacker can control the content and name of files on the server. 2. The server is configured to use a PersistenceManager with FileStore. 3. The PersistenceManager's sessionAttributeValueClassNameFilter is set to "null" (default value, unless security mode is enabled) or a sufficiently permissive lax filter, allowing deserialization of objects provided by the attacker. 4. The attacker knows the relative file path from the storage location to the controlled file. #### Affected Versions - Apache Tomcat 10.0.0-M1 to 10.0.0-M4 - Apache Tomcat 9.0.35 or later - Apache Tomcat 8.5.55 or later - Apache Tomcat 7.0.104 or later #### Severity High #### Vulnerability Analysis and Exploitation Tools Examples - ace-voip - Amap - APT2 - arp-scan - Automater - bing-ip2hosts - braa - Casefile - CDPSPnarf - cisco-torch - copy-router-config - ... #### Mitigation Measures - Upgrade to Apache Tomcat 10.0.0-M5 or later. - Upgrade to Apache Tomcat 9.0.36 or later. - Upgrade to Apache Tomcat 8.5.56 or later. - Upgrade to Apache Tomcat 7.0.105 or later.