高危 Apache Tomcat Session 反序列化代码执行漏洞(CVE-2020-9484)
CVE编号
CVE-2020-9484利用情况
漏洞武器化补丁情况
官方补丁披露时间
2020-05-21漏洞描述
Apache Tomcat是由Apache软件基金会属下Jakarta项目开发的Servlet容器。攻击者可能可以构造恶意请求,造成反序列化代码执行漏洞。成功利用该漏洞需要同时满足下列四个条件: 1. 攻击者能够控制服务器上文件的内容和名称 2. 服务器PersistenceManager配置中使用了FileStore 3. 服务器PersistenceManager配置中设置了sessionAttributeValueClassNameFilter为NULL,或者使用了其他较为宽松的过滤器,允许攻击者提供反序列化数据对象 4. 攻击者知道使用的FileStore存储位置到可控文件的相对文件路径。 整体利用条件较为苛刻,实际危害相对较低,为彻底防止漏洞潜在风险,阿里云应急响应中心仍建议Apache Tomcat用户修复漏洞。解决建议
1. 升级Apache Tomcat至安全版本2. 禁止使用Session持久化功能FileStore受影响软件情况
| # | 类型 | 厂商 | 产品 | 版本 | 影响面 | ||||
| 1 | |||||||||
|---|---|---|---|---|---|---|---|---|---|
| 运行在以下环境 | |||||||||
| 应用 | apache | tomcat | * | From (including) 7.0.0 | Up to (including) 7.0.103 | ||||
| 运行在以下环境 | |||||||||
| 应用 | apache | tomcat | * | From (including) 8.5.0 | Up to (including) 8.5.54 | ||||
| 运行在以下环境 | |||||||||
| 应用 | apache | tomcat | * | From (including) 9.0.1 | Up to (including) 9.0.34 | ||||
| 运行在以下环境 | |||||||||
| 应用 | apache | tomcat | 10.0.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | apache | tomcat | 9.0.0 | - | |||||
| 运行在以下环境 | |||||||||
| 应用 | oracle | instantis_enterprisetrack | * | From (including) 17.1 | Up to (including) 17.3 | ||||
| 运行在以下环境 | |||||||||
| 系统 | canonical | ubuntu_linux | 16.04 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian | debian_linux | 10.0 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian | debian_linux | 8.0 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | debian | debian_linux | 9.0 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | fedoraproject | fedora | 31 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | fedoraproject | fedora | 32 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | opensuse | leap | 15.1 | - | |||||
| 运行在以下环境 | |||||||||
| 系统 | redhat_6 | tomcat6 | * | Up to (excluding) 0:6.0.24-115.el6_10 | |||||
| 运行在以下环境 | |||||||||
| 系统 | redhat_7 | tomcat | * | Up to (excluding) 0:7.0.76-12.el7_8 | |||||
| 运行在以下环境 | |||||||||
| 系统 | sles_12 | tomcat | * | Up to (excluding) 9.0.35-3.32 | |||||
| 运行在以下环境 | |||||||||
| 系统 | suse_12 | tomcat | * | Up to (excluding) 9.0.35-3.32 | |||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_16.04.7_lts | tomcat8 | * | Up to (excluding) 8.0.32-1ubuntu1.13 | |||||
| 运行在以下环境 | |||||||||
| 系统 | ubuntu_16.04_lts | tomcat8 | * | Up to (excluding) 8.0.32-1ubuntu1.13 | |||||
- 攻击路径 远程
- 攻击复杂度 复杂
- 权限要求 无需权限
- 影响范围 全局影响
- EXP成熟度 漏洞武器化
- 补丁情况 官方补丁
- 数据保密性 数据泄露
- 数据完整性 传输被破坏
- 服务器危害 服务器失陷
- 全网数量 N/A
| CWE-ID | 漏洞类型 |
| CWE-502 | 可信数据的反序列化 |
Exp相关链接
- https://github.com/anjai94/CVE-2020-9484-exploit
- https://github.com/AssassinUKG/CVE-2020-9484
- https://github.com/DeviantSec/CVE-2020-9484-Scanner
- https://github.com/DXY0411/CVE-2020-9484
- https://github.com/IdealDreamLast/CVE-2020-9484
- https://github.com/masahiro331/CVE-2020-9484
- https://github.com/masahiro331/CVE-2020-9484、https://github.com/IdealDreamLast/CVE-2020-9484、https://github.com/anjai94/CVE-2020-9484-exploit、https://github.com/VICXOR/CVE-2020-9484
- https://github.com/osamahamad/CVE-2020-9484-Mass-Scan
- https://github.com/PenTestical/CVE-2020-9484
- https://github.com/Proxysec/-CVE-2020-9484
- https://github.com/Proxysec/-CVE-2020-9484-
- https://github.com/qerogram/CVE-2020-9484
- https://github.com/threedr3am/tomcat-cluster-session-sync-exp
- https://github.com/VICXOR/CVE-2020-9484
- https://github.com/X-x-X-0/-CVE-2020-9484
- https://github.com/X-x-X-0/-CVE-2020-9484-
- https://raw.githubusercontent.com/1N3/Sn1per/master/templates/active/CVE-2020-9484_-_Apache_Tomcat_RCE_by_deserialization.sh
- https://raw.githubusercontent.com/jaeles-project/jaeles-signatures/master/cves/apache-tomcat-rce-cve-2020-9484.yaml
- https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/CVE-2020-9484.yaml
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
评论