Security update for tomcat SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:1365-1 Final 1 1 2020-05-21T14:56:07Z current 2020-05-21T14:56:07Z 2020-05-21T14:56:07Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tomcat This update for tomcat fixes the following issues: - Update to Tomcat 9.0.35. See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.35_(markt) * CVE-2020-9484 (bsc#1171928) Apache Tomcat Remote Code Execution via session persistence If an attacker was able to control the contents and name of a file on a server configured to use the PersistenceManager, then the attacker could have triggered a remote code execution via deserialization of the file under their control. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2020-1365,SUSE-SLE-SERVER-12-SP4-2020-1365,SUSE-SLE-SERVER-12-SP5-2020-1365 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20201365-1/ Link for SUSE-SU-2020:1365-1 https://lists.suse.com/pipermail/sle-security-updates/2020-May/006842.html E-Mail link for SUSE-SU-2020:1365-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1171928 SUSE Bug 1171928 https://www.suse.com/security/cve/CVE-2020-9484/ SUSE CVE CVE-2020-9484 page SUSE Linux Enterprise Server 12 SP4 SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 tomcat-9.0.35-3.32.1 tomcat-admin-webapps-9.0.35-3.32.1 tomcat-docs-webapp-9.0.35-3.32.1 tomcat-el-3_0-api-9.0.35-3.32.1 tomcat-embed-9.0.35-3.32.1 tomcat-javadoc-9.0.35-3.32.1 tomcat-jsp-2_3-api-9.0.35-3.32.1 tomcat-jsvc-9.0.35-3.32.1 tomcat-lib-9.0.35-3.32.1 tomcat-servlet-4_0-api-9.0.35-3.32.1 tomcat-webapps-9.0.35-3.32.1 tomcat-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server 12 SP4 tomcat-admin-webapps-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server 12 SP4 tomcat-docs-webapp-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server 12 SP4 tomcat-el-3_0-api-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server 12 SP4 tomcat-javadoc-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server 12 SP4 tomcat-jsp-2_3-api-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server 12 SP4 tomcat-lib-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server 12 SP4 tomcat-servlet-4_0-api-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server 12 SP4 tomcat-webapps-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server 12 SP4 tomcat-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server 12 SP5 tomcat-admin-webapps-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server 12 SP5 tomcat-docs-webapp-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server 12 SP5 tomcat-el-3_0-api-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server 12 SP5 tomcat-javadoc-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server 12 SP5 tomcat-jsp-2_3-api-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server 12 SP5 tomcat-lib-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server 12 SP5 tomcat-servlet-4_0-api-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server 12 SP5 tomcat-webapps-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server 12 SP5 tomcat-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 tomcat-admin-webapps-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 tomcat-docs-webapp-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 tomcat-el-3_0-api-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 tomcat-javadoc-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 tomcat-jsp-2_3-api-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 tomcat-lib-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 tomcat-servlet-4_0-api-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 tomcat-webapps-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 tomcat-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 tomcat-admin-webapps-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 tomcat-docs-webapp-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 tomcat-el-3_0-api-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 tomcat-javadoc-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 tomcat-jsp-2_3-api-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 tomcat-lib-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 tomcat-servlet-4_0-api-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 tomcat-webapps-9.0.35-3.32.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. CVE-2020-9484 SUSE Linux Enterprise Server 12 SP4:tomcat-9.0.35-3.32.1 SUSE Linux Enterprise Server 12 SP4:tomcat-admin-webapps-9.0.35-3.32.1 SUSE Linux Enterprise Server 12 SP4:tomcat-docs-webapp-9.0.35-3.32.1 SUSE Linux Enterprise Server 12 SP4:tomcat-el-3_0-api-9.0.35-3.32.1 SUSE Linux Enterprise Server 12 SP4:tomcat-javadoc-9.0.35-3.32.1 SUSE Linux Enterprise Server 12 SP4:tomcat-jsp-2_3-api-9.0.35-3.32.1 SUSE Linux Enterprise Server 12 SP4:tomcat-lib-9.0.35-3.32.1 SUSE Linux Enterprise Server 12 SP4:tomcat-servlet-4_0-api-9.0.35-3.32.1 SUSE Linux Enterprise Server 12 SP4:tomcat-webapps-9.0.35-3.32.1 SUSE Linux Enterprise Server 12 SP5:tomcat-9.0.35-3.32.1 SUSE Linux Enterprise Server 12 SP5:tomcat-admin-webapps-9.0.35-3.32.1 SUSE Linux Enterprise Server 12 SP5:tomcat-docs-webapp-9.0.35-3.32.1 SUSE Linux Enterprise Server 12 SP5:tomcat-el-3_0-api-9.0.35-3.32.1 SUSE Linux Enterprise Server 12 SP5:tomcat-javadoc-9.0.35-3.32.1 SUSE Linux Enterprise Server 12 SP5:tomcat-jsp-2_3-api-9.0.35-3.32.1 SUSE Linux Enterprise Server 12 SP5:tomcat-lib-9.0.35-3.32.1 SUSE Linux Enterprise Server 12 SP5:tomcat-servlet-4_0-api-9.0.35-3.32.1 SUSE Linux Enterprise Server 12 SP5:tomcat-webapps-9.0.35-3.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-9.0.35-3.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-admin-webapps-9.0.35-3.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-docs-webapp-9.0.35-3.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-el-3_0-api-9.0.35-3.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-javadoc-9.0.35-3.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-jsp-2_3-api-9.0.35-3.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-lib-9.0.35-3.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-servlet-4_0-api-9.0.35-3.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-webapps-9.0.35-3.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-9.0.35-3.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-admin-webapps-9.0.35-3.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-docs-webapp-9.0.35-3.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-el-3_0-api-9.0.35-3.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-javadoc-9.0.35-3.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-jsp-2_3-api-9.0.35-3.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-lib-9.0.35-3.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-servlet-4_0-api-9.0.35-3.32.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-webapps-9.0.35-3.32.1 important 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20201365-1/ https://www.suse.com/security/cve/CVE-2020-9484.html CVE-2020-9484 https://bugzilla.suse.com/1171928 SUSE Bug 1171928 https://bugzilla.suse.com/1182909 SUSE Bug 1182909 https://bugzilla.suse.com/1195255 SUSE Bug 1195255 https://bugzilla.suse.com/1196395 SUSE Bug 1196395 https://bugzilla.suse.com/1201081 SUSE Bug 1201081