CVE-2020-9484 Apache Tomcat RCE

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides a detailed analysis of recent and notable security vulnerabilities.

1.1        Vulnerability Summary

A new remote code execution vulnerability was disclosed for Apache Tomcat. Affected versions are:

  • Apache Tomcat 10.x < 10.0.0-M5
  • Apache Tomcat 9.x < 9.0.35
  • Apache Tomcat 8.x < 8.5.55
  • Apache Tomcat 7.x < 7.0.104 (June 2010)


1.1.1      Prerequisites

There are several prerequisites for this vulnerability to be exploitable.

  1. The “PersistentManager” is enabled and it’s using a “FileStore”
  2. The attacker can upload a file with arbitrary content, has control over the filename, and knows the location where it is uploaded
  3. There are gadgets in the classpath that can be used for a Java deserialization attack

Watch the video to learn more about this and other important vulnerabilities.

1.2        CVSS Score

The CVSS Base Score is 7.0 (High)

1.3        Affected Version

  • Apache Tomcat 10.x < 10.0.0-M5
  • Apache Tomcat 9.x < 9.0.35
  • Apache Tomcat 8.x < 8.5.55
  • Apache Tomcat 7.x < 7.0.104

1.4        Vulnerability Attribution

The vulnerability exists because the PersistentManager will try to load session objects from disk. These session objects are stored as serialized object. The idea is to have the attacker store a malicious serialized object on disk and have the PersistentManager load from there.

This attack can have a high impact (RCE), but the conditions that need to be met make the likelihood of exploitation low.

  • PersistentManager needs to be enabled manually by the tomcat administrator. This is likely to happen only on websites with high traffic loads (but not too high, as it will be more likely that a JDBC Store is used instead of a File Store)
  • The attacker must find a separate file upload vulnerability to place the malicious serialized file on the server.
  • There must be libraries on the classpath that are vulnerable to be exploited by a Java deserialization attack (e.g. gadgets).

1.5        Risk Impact

A publicly disclosed exploit code is available here. Based on this link from 2010, Apache Tomcat has been downloaded 10 Million times. Tomcat has 60% market share of Java Application servers. Given that Apache Tomcat powers a broad range of web applications across countless industries and use cases, from Fortune 500 conglomerates to service providers to eCommerce systems, it is reasonable to estimate that 10s of millions of this software are in use.

Based on the link here,  large range of versions of tomcat are affected. This site also has a hacking tutorial that helps exploiting Java deserialization vulnerabilities. Given the severity of the vulnerability and with exploit available publicly, all the Apache Tomcat servers are at high risk.

1.6        Virsec Security Platform (VSP) Support

The Virsec Security Platform (VSP) monitors processes that are spawned that are not part of a set of allowlisted processes. Any attempt to execute a new command or unknown binary would be denied by VSP's Process Monitoring capability. VSP's FSM capability would also detect the attempt to place a web shell on a disk.

1.7        Reference Links

Download the full vulnerability report to learn more about this and other important vulnerabilities.

Jump to: List of CVE Vulnerabilities

About the Author
Satya Gupta is Virsec’s visionary founder, with over 25 years of expertise in embedded systems, network security and systems architecture. Satya has helped build and guide the company through key growth phases from initial funding (2015), developing core technology with key partners including Raytheon and Lockheed (2016-2018), to launching an enterprise class, GA product (2019). Prior to this, Satya built a highly profitable software design and consulting business targeting data networking, application security and industrial automation projects. He was also Director of Firmware Engineering at Narad Networks and Managing Director and Chief Engineer at Eastern Telecom and Tech Ltd. Satya has more than 40 patents in complex firmware architecture with products deployed to hundreds of thousands of users. He holds a BS degree in Engineering from the Indian Institute of Technology in Kanpur and additional degrees from the University of Massachusetts at Lowell.