tomcat-7.0.76-12.el7

エラータID: AXSA:2020-138:02

Release date: 
Friday, June 12, 2020 - 04:51
Subject: 
tomcat-7.0.76-12.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es):

* tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-9484
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

Solution: 

Update packages.

CVEs: 
CVE-2020-9484
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
Additional Info: 

N/A

Download: 

SRPMS
  1. tomcat-7.0.76-12.el7.src.rpm
    MD5: ddf5702cf834e8a1bb5bcd6e85ae663c
    SHA-256: 22cf328e2cbc3102d412ff1a4ca4aa9c7f5ab0b7db15b993ab094bba2b3e56e5
    Size: 4.60 MB

Asianux Server 7 for x86_64
  1. tomcat-7.0.76-12.el7.noarch.rpm
    MD5: 1fb6fb7bd8d34dc371410c5bb90f02cd
    SHA-256: bee029afe43dfbf160245d08250266c7f34ac897454365b76f86b33fbc62cc67
    Size: 91.18 kB
  2. tomcat-admin-webapps-7.0.76-12.el7.noarch.rpm
    MD5: ab5342a4d52a2952f5fda4db2c100fb9
    SHA-256: ce3e4e934930fa34342f7dc1df5d7f1b04ce5754f0a98473239058d25bfecf97
    Size: 39.39 kB
  3. tomcat-el-2.2-api-7.0.76-12.el7.noarch.rpm
    MD5: 18c6169fd66cda03e80c7846716edb33
    SHA-256: 6d2ff3454311c24c8468d45cadd0aeb20c039c413573bb6b194402981b670cfd
    Size: 80.64 kB
  4. tomcat-jsp-2.2-api-7.0.76-12.el7.noarch.rpm
    MD5: 3868394819788e343d8a9b398e83eddd
    SHA-256: 948988419e949ca3c6956046cf55f50fa380ce5e6067092e6cc9d8fbca3751bf
    Size: 94.36 kB
  5. tomcat-lib-7.0.76-12.el7.noarch.rpm
    MD5: 0280c62c1822e6be9832834a6fcb2323
    SHA-256: b1a70c16ce0b9b1270cf072db32ccf419a1eda654a04c8126e7a476fa3c2eff8
    Size: 3.86 MB
  6. tomcat-servlet-3.0-api-7.0.76-12.el7.noarch.rpm
    MD5: 144d095aaba628dfdfd84d6954561845
    SHA-256: 65491b31ff35e98a447ccc9d3490b053ab5fbe510881d364cc0a94776efdcf80
    Size: 211.71 kB
  7. tomcat-webapps-7.0.76-12.el7.noarch.rpm
    MD5: 4eb0c7685aac2c9d46318d100fc6d770
    SHA-256: 62aa15144860748be5c515918b145b0a45f32f3da7591291f74421dcab460e0a
    Size: 340.16 kB