What is CVE-2020-9484?
CVE-2020-9484 is a security vulnerability found in Apache Tomcat, a widely used open-source web server and servlet container. This vulnerability allows attackers to execute arbitrary code on the server by exploiting insecure deserialization of session data. It affects multiple versions of Apache Tomcat, including versions 7.0.0 to 7.0.103, 8.5.0 to 8.5.54, and 9.0.0.M1 to 9.0.34, posing a significant threat to any web application relying on these versions of Tomcat for session management.
CVSS Score and Severity
- CVSS Score: 8.1 (High)
- Severity: The CVSS score of 8.1 out of 10 reflects the high severity of this vulnerability. The potential for remote code execution, leading to full system compromise, makes this a critical issue for organizations using vulnerable versions of Apache Tomcat.
So what’s the problem?
CVE-2020-9484 is particularly dangerous because it allows attackers to exploit insecure deserialization of session data, which can lead to remote code execution. An attacker can manipulate serialized session data to inject malicious objects, which, when deserialized by Tomcat, can execute arbitrary code on the server. This could result in the complete compromise of the affected system, allowing attackers to steal data, deploy malware, or disrupt services. Given the widespread use of Apache Tomcat in hosting web applications, this vulnerability poses a serious risk to any organization that has not applied the necessary patches.
Background and Context
Background on the vulnerability
CVE-2020-9484 was discovered in 2020 during a security review of Apache Tomcat. Apache Tomcat is a widely used servlet container that implements several Java EE specifications, including Java Servlets, JSP, and WebSockets. The vulnerability is rooted in the way Tomcat handles session data serialization and deserialization, specifically when using the FileStore and PersistentManager components. If an attacker can control the contents of a session, they can inject malicious data that, upon deserialization, leads to the execution of arbitrary code.
Description of the Vulnerability (CVE-2020-9484)
The vulnerability occurs due to the insecure handling of serialized session data in Apache Tomcat. When the PersistentManager is configured with a FileStore, session data is serialized and written to disk. If an attacker can tamper with this serialized data (for instance, by gaining access to the file system), they can inject malicious objects into the session. When Tomcat deserializes this manipulated data during session restoration, the malicious objects are executed, potentially leading to arbitrary code execution on the server.
Root Cause Analysis
The root cause of CVE-2020-9484 is the insecure deserialization process in Apache Tomcat when using the PersistentManager and FileStore combination. The lack of proper validation and filtering of serialized objects before deserialization allows attackers to exploit this process by injecting malicious code. The vulnerability is exacerbated in environments where the session store is not adequately secured, allowing attackers to modify session data.
Impact and Exploitation
The impact of CVE-2020-9484
Exploiting CVE-2020-9484 can have several severe impacts:
- Remote Code Execution: The most critical impact is the ability for an attacker to execute arbitrary code on the server, potentially leading to full system compromise.
- Data Theft: An attacker could use this vulnerability to steal sensitive data stored on the server or in the session data.
- Service Disruption: By executing arbitrary code, the attacker could disrupt services, deploy malware, or delete critical data, leading to significant downtime and operational issues.
Exploit
To exploit CVE-2020-9484, an attacker must have access to the serialized session data stored by Apache Tomcat. The exploitation process involves:
- Gaining access to the file system where Tomcat stores serialized session data, typically in the FileStore directory.
- Modifying the serialized session data to include malicious objects designed to execute arbitrary code when deserialized.
- Allowing the manipulated session data to be deserialized by Tomcat, leading to the execution of the attacker’s code on the server.
In-the-Wild Attacks
Since its disclosure, CVE-2020-9484 has been a target for exploitation, particularly in environments where Tomcat servers are not adequately secured. Attackers have leveraged this vulnerability to gain unauthorized access to systems, execute malicious code, and disrupt web applications. The vulnerability’s potential for remote code execution makes it a high-priority target for attackers.
Vulnerable code/package in the application
The vulnerable code is located within the session management components of Apache Tomcat, specifically when using the PersistentManager and FileStore for session storage. The affected versions include Apache Tomcat 7.0.0 to 7.0.103, 8.5.0 to 8.5.54, and 9.0.0.M1 to 9.0.34. The vulnerability is tied to the insecure deserialization of session data, which allows attackers to inject and execute arbitrary code.
Statistics on vulnerability
While specific exploitation statistics for CVE-2020-9484 are not widely available, the vulnerability’s critical nature and the widespread use of Apache Tomcat make it a significant concern for organizations across various industries. The potential for remote code execution and system compromise underscores the importance of addressing this issue promptly.
Mitigation and Remediation
Mitigating CVE-2020-9484
Organizations can mitigate the risks associated with CVE-2020-9484 by:
- Applying Patches: Apache has released patches to address this vulnerability. It is critical to update all affected Tomcat servers to the latest software versions to prevent exploitation.
- Securing Session Stores: Ensure that the file system where Tomcat stores serialized session data is properly secured, limiting access to trusted users and preventing unauthorized modifications.
- Disabling Insecure Components: If possible, avoid using the PersistentManager with FileStore for session management, or configure the session store to use a more secure storage mechanism.
Patch and Bypass: Fixes Added for CVE-2020-9484
The patch for CVE-2020-9484 involves updates to Apache Tomcat’s session management to ensure that serialized session data is properly validated before deserialization. The patch also includes improvements to how session data is stored and accessed, reducing the risk of tampering. Organizations should ensure that their Tomcat installations are updated to the latest version to protect against this vulnerability.
Proactive response
A proactive security approach includes regularly updating software, conducting security audits of web application environments, and implementing best practices for secure session management. Organizations should also consider using alternative session storage mechanisms that do not rely on serialization or ensure that deserialization processes are properly secured.
Proof of Concept (POC)
A POC for CVE-2020-9484 might involve manipulating session data stored in a Tomcat FileStore:
bash –
echo 'malicious payload' > session.serIf the server deserializes this session data, it could execute the embedded payload, demonstrating the vulnerability.
Real-world Impact and Response
Timeline/changelog
- April 2020: Discovery and public disclosure of CVE-2020-9484 during a security review of Apache Tomcat.
- June 2020: Apache releases patches to address the vulnerability in all affected versions of Tomcat.
- July 2020: Security advisories and guidance issued to organizations to update their Tomcat installations and secure their environments against potential exploitation.
Observed Activity
Since its disclosure, CVE-2020-9484 has been actively targeted by attackers, particularly in environments where Tomcat servers are not adequately secured. Exploitation has led to the compromise of web applications and the execution of arbitrary code on vulnerable servers. The vulnerability’s presence in widely used web infrastructure has made it a priority for organizations to patch.
Mass Scanning
There have been no widespread reports of mass scanning specifically targeting CVE-2020-9484. However, attackers often scan for exposed Tomcat servers, and systems running vulnerable versions may be at risk if not properly secured.
Vulnerable Server Discovery
Vulnerable servers can be discovered by attackers through targeted scanning or by analyzing network traffic for signs of outdated Tomcat versions. Ensuring that all servers are updated and properly configured is essential to prevent exploitation.
Reasoning and Scoring
Corporate networks impacted globally
CVE-2020-9484 has the potential to impact corporate networks globally, particularly in industries that rely heavily on Apache Tomcat for hosting web applications. The vulnerability can be exploited to gain unauthorized access, execute arbitrary code, and compromise the integrity of web applications.
Corporate numbers impacted by countries
- United States: Extensive use of Apache Tomcat in enterprise environments, with many organizations potentially at risk.
- Europe: Significant adoption of Tomcat in technology, finance, and e-commerce sectors, leading to potential exposure.
- Asia: Widespread use of Tomcat in industries where secure web operations are critical.
Conclusion
Who should be paying attention to this?
System administrators, cybersecurity professionals, and organizations that use Apache Tomcat for hosting web applications should prioritize attention to CVE-2020-9484. Ensuring that Tomcat servers are patched and secure is critical for maintaining the integrity of web applications and preventing potential exploitation.
Who is exploiting it and how?
CVE-2020-9484 has been exploited by attackers who identify vulnerable Tomcat servers with improperly secured session stores. These attackers manipulate serialized session data to inject and execute arbitrary code, leading to the compromise of the server and the web applications it hosts.
How are things likely to develop?
As more organizations apply patches and secure their Tomcat environments, the risk of widespread exploitation decreases. However, systems that remain unpatched are still vulnerable to attack, and the potential for targeted exploitation remains a concern. Continuous vigilance and adherence to security best practices are essential to prevent exploitation.
How long has it been around?
CVE-2020-9484 was discovered and disclosed in April 2020, but the underlying issue with insecure deserialization may have existed in Apache Tomcat for some time before its discovery. This highlights the importance of regular security reviews and updates to address potential vulnerabilities in widely used web infrastructure.
