Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2020-9484 (GCVE-0-2020-9484)
Vulnerability from cvelistv5 – Published: 2020-05-20 18:26 – Updated: 2024-08-04 10:26
VLAI
EPSS
Summary
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
Severity
No CVSS data available.
CWE
- Remote Code Execution
Assigner
References
42 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | Apache Tomcat |
Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54, 7.0.0 to 7.0.103
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:26:16.293Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[tomcat-users] 20200521 Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926%40%3Cusers.tomcat.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200523 [SECURITY] [DLA 2217-1] tomcat7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00020.html"
},
{
"name": "[tomcat-users] 20200524 Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469%40%3Cusers.tomcat.apache.org%3E"
},
{
"name": "openSUSE-SU-2020:0711",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.html"
},
{
"name": "[tomcat-dev] 20200527 Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200528 [SECURITY] [DLA 2209-1] tomcat8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"
},
{
"name": "20200602 [CVE-2020-9484] Apache Tomcat RCE via PersistentManager",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2020/Jun/6"
},
{
"name": "GLSA-202006-21",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202006-21"
},
{
"name": "FEDORA-2020-ce396e7d5c",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WJ7XHKWJWDNWXUJH6UB7CLIW4TWOZ26N/"
},
{
"name": "FEDORA-2020-d9169235a8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GIQHXENTLYUNOES4LXVNJ2NCUQQRF5VJ/"
},
{
"name": "[tomcat-dev] 20200625 svn commit: r1879208 - in /tomcat/site/trunk: docs/security-10.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-8.xml xdocs/security-9.xml",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200712 [SECURITY] [DLA 2279-1] tomcat8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20200528-0005/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html"
},
{
"name": "DSA-4727",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2020/dsa-4727"
},
{
"name": "USN-4448-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4448-1/"
},
{
"name": "[tomee-commits] 20201013 [jira] [Created] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20201013 [jira] [Updated] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20201013 [jira] [Assigned] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20201013 [jira] [Commented] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119%40%3Ccommits.tomee.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "USN-4596-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/4596-1/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "[tomcat-dev] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[announce] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.apache.org%3E"
},
{
"name": "[tomcat-users] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cusers.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210301 svn commit: r1887027 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-announce] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E"
},
{
"name": "[oss-security] 20210301 CVE-2021-25329: Apache Tomcat Incomplete fix for CVE-2020-9484",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/01/2"
},
{
"name": "[tomee-commits] 20210522 [jira] [Closed] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307926c1f7cd5400c%40%3Ccommits.tomee.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "[tomcat-users] 20210701 What is \"h2c\"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3Cusers.tomcat.apache.org%3E"
},
{
"name": "[tomcat-users] 20210701 Re: What is \"h2c\"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f%40%3Cusers.tomcat.apache.org%3E"
},
{
"name": "[tomcat-users] 20210702 Re: CVE-2021-25329, was Re: Most recent security-related update to 8.5",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77%40%3Cusers.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210712 svn commit: r1891484 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c%40%3Cdev.tomcat.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Apache Tomcat",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Apache Tomcat 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54, 7.0.0 to 7.0.103"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=\"null\" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Remote Code Execution",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-07-25T16:24:10.000Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"name": "[tomcat-users] 20200521 Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926%40%3Cusers.tomcat.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200523 [SECURITY] [DLA 2217-1] tomcat7 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00020.html"
},
{
"name": "[tomcat-users] 20200524 Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469%40%3Cusers.tomcat.apache.org%3E"
},
{
"name": "openSUSE-SU-2020:0711",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.html"
},
{
"name": "[tomcat-dev] 20200527 Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200528 [SECURITY] [DLA 2209-1] tomcat8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"
},
{
"name": "20200602 [CVE-2020-9484] Apache Tomcat RCE via PersistentManager",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2020/Jun/6"
},
{
"name": "GLSA-202006-21",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202006-21"
},
{
"name": "FEDORA-2020-ce396e7d5c",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WJ7XHKWJWDNWXUJH6UB7CLIW4TWOZ26N/"
},
{
"name": "FEDORA-2020-d9169235a8",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GIQHXENTLYUNOES4LXVNJ2NCUQQRF5VJ/"
},
{
"name": "[tomcat-dev] 20200625 svn commit: r1879208 - in /tomcat/site/trunk: docs/security-10.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-8.xml xdocs/security-9.xml",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200712 [SECURITY] [DLA 2279-1] tomcat8 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20200528-0005/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html"
},
{
"name": "DSA-4727",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2020/dsa-4727"
},
{
"name": "USN-4448-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4448-1/"
},
{
"name": "[tomee-commits] 20201013 [jira] [Created] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20201013 [jira] [Updated] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20201013 [jira] [Assigned] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3%40%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20201013 [jira] [Commented] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119%40%3Ccommits.tomee.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "USN-4596-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/4596-1/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "[tomcat-dev] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[announce] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.apache.org%3E"
},
{
"name": "[tomcat-users] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cusers.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210301 svn commit: r1887027 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-announce] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E"
},
{
"name": "[oss-security] 20210301 CVE-2021-25329: Apache Tomcat Incomplete fix for CVE-2020-9484",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2021/03/01/2"
},
{
"name": "[tomee-commits] 20210522 [jira] [Closed] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307926c1f7cd5400c%40%3Ccommits.tomee.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "[tomcat-users] 20210701 What is \"h2c\"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3Cusers.tomcat.apache.org%3E"
},
{
"name": "[tomcat-users] 20210701 Re: What is \"h2c\"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f%40%3Cusers.tomcat.apache.org%3E"
},
{
"name": "[tomcat-users] 20210702 Re: CVE-2021-25329, was Re: Most recent security-related update to 8.5",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77%40%3Cusers.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210712 svn commit: r1891484 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c%40%3Cdev.tomcat.apache.org%3E"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2020-9484",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Tomcat",
"version": {
"version_data": [
{
"version_value": "Apache Tomcat 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54, 7.0.0 to 7.0.103"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=\"null\" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[tomcat-users] 20200521 Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926@%3Cusers.tomcat.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200523 [SECURITY] [DLA 2217-1] tomcat7 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00020.html"
},
{
"name": "[tomcat-users] 20200524 Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469@%3Cusers.tomcat.apache.org%3E"
},
{
"name": "openSUSE-SU-2020:0711",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.html"
},
{
"name": "[tomcat-dev] 20200527 Re: [SECURITY] CVE-2020-9484 Apache Tomcat Remote Code Execution via session persistence",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200528 [SECURITY] [DLA 2209-1] tomcat8 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"
},
{
"name": "20200602 [CVE-2020-9484] Apache Tomcat RCE via PersistentManager",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2020/Jun/6"
},
{
"name": "GLSA-202006-21",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202006-21"
},
{
"name": "FEDORA-2020-ce396e7d5c",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WJ7XHKWJWDNWXUJH6UB7CLIW4TWOZ26N/"
},
{
"name": "FEDORA-2020-d9169235a8",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GIQHXENTLYUNOES4LXVNJ2NCUQQRF5VJ/"
},
{
"name": "[tomcat-dev] 20200625 svn commit: r1879208 - in /tomcat/site/trunk: docs/security-10.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-8.xml xdocs/security-9.xml",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[debian-lts-announce] 20200712 [SECURITY] [DLA 2279-1] tomcat8 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2020.html"
},
{
"name": "https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E",
"refsource": "MISC",
"url": "https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E"
},
{
"name": "https://security.netapp.com/advisory/ntap-20200528-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20200528-0005/"
},
{
"name": "http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html"
},
{
"name": "DSA-4727",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2020/dsa-4727"
},
{
"name": "USN-4448-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4448-1/"
},
{
"name": "[tomee-commits] 20201013 [jira] [Created] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c@%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20201013 [jira] [Updated] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f@%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20201013 [jira] [Assigned] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3@%3Ccommits.tomee.apache.org%3E"
},
{
"name": "[tomee-commits] 20201013 [jira] [Commented] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119@%3Ccommits.tomee.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
},
{
"name": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332",
"refsource": "CONFIRM",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332"
},
{
"name": "USN-4596-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4596-1/"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2021.html"
},
{
"name": "[tomcat-dev] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[announce] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.apache.org%3E"
},
{
"name": "[tomcat-users] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cusers.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210301 svn commit: r1887027 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "[tomcat-announce] 20210301 [SECURITY] CVE-2021-25329 Apache Tomcat Incomplete fix for CVE-2020-9484 (RCE via session persistence)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.tomcat.apache.org%3E"
},
{
"name": "[oss-security] 20210301 CVE-2021-25329: Apache Tomcat Incomplete fix for CVE-2020-9484",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2021/03/01/2"
},
{
"name": "[tomee-commits] 20210522 [jira] [Closed] (TOMEE-2909) Impact of security vulnerability(CVE-2020-9484) on TOMEE plus (7.0.7)",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307926c1f7cd5400c@%3Ccommits.tomee.apache.org%3E"
},
{
"name": "https://www.oracle.com/security-alerts/cpuApr2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuApr2021.html"
},
{
"name": "[tomcat-users] 20210701 What is \"h2c\"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc@%3Cusers.tomcat.apache.org%3E"
},
{
"name": "[tomcat-users] 20210701 Re: What is \"h2c\"? What is CVE-2021-25329? Re: Most recent security-related update to 8.5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f@%3Cusers.tomcat.apache.org%3E"
},
{
"name": "[tomcat-users] 20210702 Re: CVE-2021-25329, was Re: Most recent security-related update to 8.5",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3Cusers.tomcat.apache.org%3E"
},
{
"name": "[tomcat-dev] 20210712 svn commit: r1891484 - in /tomcat/site/trunk: docs/security-10.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml",
"refsource": "MLIST",
"url": "https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c@%3Cdev.tomcat.apache.org%3E"
},
{
"name": "https://www.oracle.com//security-alerts/cpujul2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com//security-alerts/cpujul2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpuoct2021.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2022.html"
},
{
"name": "https://www.oracle.com/security-alerts/cpujul2022.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujul2022.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2020-9484",
"datePublished": "2020-05-20T18:26:41.000Z",
"dateReserved": "2020-03-01T00:00:00.000Z",
"dateUpdated": "2024-08-04T10:26:16.293Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2020-9484",
"date": "2026-05-31",
"epss": "0.93464",
"percentile": "0.99829"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"7.0.0\", \"versionEndExcluding\": \"7.0.108\", \"matchCriteriaId\": \"EE5E91B0-1B3B-4871-ADD0-C772DA1894E6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.5.0\", \"versionEndExcluding\": \"8.5.63\", \"matchCriteriaId\": \"6F32163D-F54D-48C9-AE9D-44ABA776B060\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"9.0.1\", \"versionEndExcluding\": \"9.0.43\", \"matchCriteriaId\": \"C570AD4E-B51D-4490-83B9-BFC8528514EF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*\", \"matchCriteriaId\": \"9D0689FE-4BC0-4F53-8C79-34B21F9B86C2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*\", \"matchCriteriaId\": \"89B129B2-FB6F-4EF9-BF12-E589A87996CF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*\", \"matchCriteriaId\": \"8B6787B6-54A8-475E-BA1C-AB99334B2535\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*\", \"matchCriteriaId\": \"EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*\", \"matchCriteriaId\": \"E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*\", \"matchCriteriaId\": \"8A6DA0BE-908C-4DA8-A191-A0113235E99A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*\", \"matchCriteriaId\": \"39029C72-28B4-46A4-BFF5-EC822CFB2A4C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*\", \"matchCriteriaId\": \"1A2E05A3-014F-4C4D-81E5-88E725FBD6AD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*\", \"matchCriteriaId\": \"166C533C-0833-41D5-99B6-17A4FAB3CAF0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*\", \"matchCriteriaId\": \"D3768C60-21FA-4B92-B98C-C3A2602D1BC4\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*\", \"matchCriteriaId\": \"DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*\", \"matchCriteriaId\": \"9F542E12-6BA8-4504-A494-DA83E7E19BD5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*\", \"matchCriteriaId\": \"C2409CC7-6A85-4A66-A457-0D62B9895DC1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*\", \"matchCriteriaId\": \"B392A7E5-4455-4B1C-8FAC-AE6DDC70689E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*\", \"matchCriteriaId\": \"EF411DDA-2601-449A-9046-D250419A0E1A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*\", \"matchCriteriaId\": \"D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*\", \"matchCriteriaId\": \"1B4FBF97-DE16-4E5E-BE19-471E01818D40\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*\", \"matchCriteriaId\": \"3B266B1E-24B5-47EE-A421-E0E3CC0C7471\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*\", \"matchCriteriaId\": \"29614C3A-6FB3-41C7-B56E-9CC3F45B04F0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*\", \"matchCriteriaId\": \"C6AB156C-8FF6-4727-AF75-590D0DCB3F9D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*\", \"matchCriteriaId\": \"C0C5F004-F7D8-45DB-B173-351C50B0EC16\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*\", \"matchCriteriaId\": \"D1902D2E-1896-4D3D-9E1C-3A675255072C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*\", \"matchCriteriaId\": \"49AAF4DF-F61D-47A8-8788-A21E317A145D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*\", \"matchCriteriaId\": \"454211D0-60A2-4661-AECA-4C0121413FEB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*\", \"matchCriteriaId\": \"0686F977-889F-4960-8E0B-7784B73A7F2D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*\", \"matchCriteriaId\": \"558703AE-DB5E-4DFF-B497-C36694DD7B24\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*\", \"matchCriteriaId\": \"ED6273F2-1165-47A4-8DD7-9E9B2472941B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*\", \"matchCriteriaId\": \"90CD7E85-4FF9-4158-AC78-4BFCBC882A65\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*\", \"matchCriteriaId\": \"7EA56B52-1015-40CD-B10C-393768094269\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*\", \"matchCriteriaId\": \"501B0D4A-D636-4736-979B-D5023599CEFB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*\", \"matchCriteriaId\": \"94E7764F-BF9E-463E-B446-A9A8DB92BB97\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DEECE5FC-CACF-4496-A3E7-164736409252\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B620311B-34A3-48A6-82DF-6F078D7A4493\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"80F0FA5D-8D3B-4C0E-81E2-87998286AF33\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"36D96259-24BD-44E2-96D9-78CE1D41F956\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*\", \"matchCriteriaId\": \"902B8056-9E37-443B-8905-8AA93E2447FB\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"80C9DBB8-3D50-4D5D-859A-B022EB7C2E64\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D14ABF04-E460-4911-9C6C-B7BCEFE68E9D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"ED43772F-D280-42F6-A292-7198284D6FE7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C650FEDB-E903-4C2D-AD40-282AB5F2E3C2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B6B6FE82-7BFA-481D-99D6-789B146CA18B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4479F76A-4B67-41CC-98C7-C76B81050F8E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.0.0.0\", \"versionEndIncluding\": \"8.4.0.5\", \"matchCriteriaId\": \"12981AA7-BBF6-4158-8F7D-9DD3880FDCC1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.2.0\", \"versionEndIncluding\": \"8.2.2\", \"matchCriteriaId\": \"B51F78F4-8D7E-48C2-86D1-D53A6EB348A7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0DB23B9A-571E-4B77-B432-23F3DC9B67D1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.2.0\", \"versionEndIncluding\": \"8.2.2\", \"matchCriteriaId\": \"3E5416A1-EE58-415D-9645-B6A875EBAED2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"8.2.0\", \"versionEndIncluding\": \"8.2.2\", \"matchCriteriaId\": \"11B0C37E-D7C7-45F2-A8D8-5A3B1B191430\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:database:12.2.0.1:*:*:*:enterprise:*:*:*\", \"matchCriteriaId\": \"46E7237C-00BD-4490-96C3-A8EAE4CE2C0B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:database:19c:*:*:*:enterprise:*:*:*\", \"matchCriteriaId\": \"C1E05472-8F3A-4E46-90E5-50EA6D555FDC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:database:21c:*:*:*:enterprise:*:*:*\", \"matchCriteriaId\": \"02E34416-E767-4F61-8D2C-0D0202351F91\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:fmw_platform:12.2.1.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9C5E9A12-BFE9-4963-A360-A34168A6BF6A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:fmw_platform:12.2.1.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CA2E1357-E3A1-461C-B7A0-A9446E45496D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1A3DC116-2844-47A1-BEC2-D0675DD97148\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E0F1DF3E-0F2D-4EFC-9A3E-F72149C8AE94\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"17.1\", \"versionEndIncluding\": \"17.3\", \"matchCriteriaId\": \"9A74FD5F-4FEA-4A74-8B92-72DFDE6BA464\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A2E3E923-E2AD-400D-A618-26ADF7F841A2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9AB58D27-37F2-4A32-B786-3490024290A1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"8.0.21\", \"matchCriteriaId\": \"70C60E6C-1A61-422B-A132-FB024761F576\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EE8CF045-09BB-4069-BCEC-496D5AE3B780\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:siebel_apps_-_marketing:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"21.9\", \"matchCriteriaId\": \"7AACBCC9-FDAC-42DF-B931-BD908CAF5C65\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"20.12\", \"matchCriteriaId\": \"30DB69BD-0F6E-4AB5-A861-7CB911C35660\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:transportation_management:6.3.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A58642E0-CA59-4DE6-A83C-F551FC621C32\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AD848FE1-CFD7-490C-B008-DF3B30F3256F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"630C8E99-FE49-486E-9003-40B82809B7A3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C842DE9E-5E12-4295-AFA5-DEB5FEDE490A\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mcafee:epolicy_orchestrator:5.9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DEB90C24-D252-4099-A7A1-9F8754DFB4A5\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mcafee:epolicy_orchestrator:5.9.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"106FDF5A-D377-4E5F-8BF9-09290019C98A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:*\", \"matchCriteriaId\": \"0F30D3AF-4FA3-4B7A-BE04-C24E2EA19A95\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:*\", \"matchCriteriaId\": \"7B00DDE7-7002-45BE-8EDE-65D964922CB0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:*\", \"matchCriteriaId\": \"FF806B52-DAD5-4D12-8BB6-3CBF9DC6B8DF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:*\", \"matchCriteriaId\": \"7DE847E0-431D-497D-9C57-C4E59749F6A0\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=\\\"null\\\" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.\"}, {\"lang\": \"es\", \"value\": \"Cuando se usa Apache Tomcat versiones 10.0.0-M1 hasta 10.0.0-M4, 9.0.0.M1 hasta 9.0.34, 8.5.0 hasta 8.5.54 y 7.0.0 hasta 7.0. 103, si a) un atacante es capaz de controlar el contenido y el nombre de un archivo en el servidor; y b) el servidor est\\u00e1 configurado para usar el PersistenceManager con un FileStore; y c) el PersistenceManager est\\u00e1 configurado con sessionAttributeValueClassNameFilter=\\\"null\\\" (el valor predeterminado a menos que se utilice un SecurityManager) o un filtro lo suficientemente laxo como para permitir que el objeto proporcionado por el atacante sea deserializado; y d) el atacante conoce la ruta relativa del archivo desde la ubicaci\\u00f3n de almacenamiento usada por FileStore hasta el archivo sobre el que el atacante presenta control; entonces, mediante una petici\\u00f3n espec\\u00edficamente dise\\u00f1ada, el atacante podr\\u00e1 ser capaz de desencadenar una ejecuci\\u00f3n de c\\u00f3digo remota mediante la deserializaci\\u00f3n del archivo bajo su control. Tome en cuenta que todas las condiciones desde la a) hasta la d) deben cumplirse para que el ataque tenga \\u00e9xito.\"}]",
"id": "CVE-2020-9484",
"lastModified": "2024-11-21T05:40:44.420",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.0, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.0, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 4.4, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 3.4, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2020-05-20T19:15:09.257",
"references": "[{\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.html\", \"source\": \"security@apache.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html\", \"source\": \"security@apache.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2020/Jun/6\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/03/01/2\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332\", \"source\": \"security@apache.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77%40%3Cusers.tomcat.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c%40%3Ccommits.tomee.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469%40%3Cusers.tomcat.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Mitigation\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3Cusers.tomcat.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307926c1f7cd5400c%40%3Ccommits.tomee.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f%40%3Ccommits.tomee.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f%40%3Cusers.tomcat.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3%40%3Ccommits.tomee.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119%40%3Ccommits.tomee.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926%40%3Cusers.tomcat.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cusers.tomcat.apache.org%3E\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/05/msg00020.html\", \"source\": \"security@apache.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html\", \"source\": \"security@apache.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html\", \"source\": \"security@apache.org\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GIQHXENTLYUNOES4LXVNJ2NCUQQRF5VJ/\", \"source\": \"security@apache.org\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WJ7XHKWJWDNWXUJH6UB7CLIW4TWOZ26N/\", \"source\": \"security@apache.org\"}, {\"url\": \"https://security.gentoo.org/glsa/202006-21\", \"source\": \"security@apache.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20200528-0005/\", \"source\": \"security@apache.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://usn.ubuntu.com/4448-1/\", \"source\": \"security@apache.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://usn.ubuntu.com/4596-1/\", \"source\": \"security@apache.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2020/dsa-4727\", \"source\": \"security@apache.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\", \"source\": \"security@apache.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\", \"source\": \"security@apache.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\", \"source\": \"security@apache.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\", \"source\": \"security@apache.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\", \"source\": \"security@apache.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\", \"source\": \"security@apache.org\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\", \"source\": \"security@apache.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\", \"source\": \"security@apache.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://seclists.org/fulldisclosure/2020/Jun/6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2021/03/01/2\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77%40%3Cusers.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c%40%3Ccommits.tomee.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469%40%3Cusers.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Mitigation\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3Cusers.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307926c1f7cd5400c%40%3Ccommits.tomee.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f%40%3Ccommits.tomee.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f%40%3Cusers.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3%40%3Ccommits.tomee.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119%40%3Ccommits.tomee.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926%40%3Cusers.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cusers.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/05/msg00020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GIQHXENTLYUNOES4LXVNJ2NCUQQRF5VJ/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WJ7XHKWJWDNWXUJH6UB7CLIW4TWOZ26N/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.gentoo.org/glsa/202006-21\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20200528-0005/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://usn.ubuntu.com/4448-1/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://usn.ubuntu.com/4596-1/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2020/dsa-4727\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com//security-alerts/cpujul2021.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuApr2021.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2021.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujan2022.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpujul2022.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2020.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.oracle.com/security-alerts/cpuoct2021.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}]",
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2020-9484\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2020-05-20T19:15:09.257\",\"lastModified\":\"2024-11-21T05:40:44.420\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=\\\"null\\\" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.\"},{\"lang\":\"es\",\"value\":\"Cuando se usa Apache Tomcat versiones 10.0.0-M1 hasta 10.0.0-M4, 9.0.0.M1 hasta 9.0.34, 8.5.0 hasta 8.5.54 y 7.0.0 hasta 7.0. 103, si a) un atacante es capaz de controlar el contenido y el nombre de un archivo en el servidor; y b) el servidor est\u00e1 configurado para usar el PersistenceManager con un FileStore; y c) el PersistenceManager est\u00e1 configurado con sessionAttributeValueClassNameFilter=\\\"null\\\" (el valor predeterminado a menos que se utilice un SecurityManager) o un filtro lo suficientemente laxo como para permitir que el objeto proporcionado por el atacante sea deserializado; y d) el atacante conoce la ruta relativa del archivo desde la ubicaci\u00f3n de almacenamiento usada por FileStore hasta el archivo sobre el que el atacante presenta control; entonces, mediante una petici\u00f3n espec\u00edficamente dise\u00f1ada, el atacante podr\u00e1 ser capaz de desencadenar una ejecuci\u00f3n de c\u00f3digo remota mediante la deserializaci\u00f3n del archivo bajo su control. Tome en cuenta que todas las condiciones desde la a) hasta la d) deben cumplirse para que el ataque tenga \u00e9xito.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.0,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.0,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":4.4,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.4,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0.0\",\"versionEndExcluding\":\"7.0.108\",\"matchCriteriaId\":\"EE5E91B0-1B3B-4871-ADD0-C772DA1894E6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.5.0\",\"versionEndExcluding\":\"8.5.63\",\"matchCriteriaId\":\"6F32163D-F54D-48C9-AE9D-44ABA776B060\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"9.0.1\",\"versionEndExcluding\":\"9.0.43\",\"matchCriteriaId\":\"C570AD4E-B51D-4490-83B9-BFC8528514EF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*\",\"matchCriteriaId\":\"9D0689FE-4BC0-4F53-8C79-34B21F9B86C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*\",\"matchCriteriaId\":\"89B129B2-FB6F-4EF9-BF12-E589A87996CF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B6787B6-54A8-475E-BA1C-AB99334B2535\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*\",\"matchCriteriaId\":\"EABB6FBC-7486-44D5-A6AD-FFF1D3F677E1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*\",\"matchCriteriaId\":\"E10C03BC-EE6B-45B2-83AE-9E8DFB58D7DB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A6DA0BE-908C-4DA8-A191-A0113235E99A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*\",\"matchCriteriaId\":\"39029C72-28B4-46A4-BFF5-EC822CFB2A4C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*\",\"matchCriteriaId\":\"1A2E05A3-014F-4C4D-81E5-88E725FBD6AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*\",\"matchCriteriaId\":\"166C533C-0833-41D5-99B6-17A4FAB3CAF0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3768C60-21FA-4B92-B98C-C3A2602D1BC4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*\",\"matchCriteriaId\":\"DDD510FA-A2E4-4BAF-A0DE-F4E5777E9325\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*\",\"matchCriteriaId\":\"9F542E12-6BA8-4504-A494-DA83E7E19BD5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*\",\"matchCriteriaId\":\"C2409CC7-6A85-4A66-A457-0D62B9895DC1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*\",\"matchCriteriaId\":\"B392A7E5-4455-4B1C-8FAC-AE6DDC70689E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF411DDA-2601-449A-9046-D250419A0E1A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*\",\"matchCriteriaId\":\"D7D8F2F4-AFE2-47EA-A3FD-79B54324DE02\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*\",\"matchCriteriaId\":\"1B4FBF97-DE16-4E5E-BE19-471E01818D40\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B266B1E-24B5-47EE-A421-E0E3CC0C7471\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*\",\"matchCriteriaId\":\"29614C3A-6FB3-41C7-B56E-9CC3F45B04F0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*\",\"matchCriteriaId\":\"C6AB156C-8FF6-4727-AF75-590D0DCB3F9D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*\",\"matchCriteriaId\":\"C0C5F004-F7D8-45DB-B173-351C50B0EC16\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*\",\"matchCriteriaId\":\"D1902D2E-1896-4D3D-9E1C-3A675255072C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*\",\"matchCriteriaId\":\"49AAF4DF-F61D-47A8-8788-A21E317A145D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*\",\"matchCriteriaId\":\"454211D0-60A2-4661-AECA-4C0121413FEB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*\",\"matchCriteriaId\":\"0686F977-889F-4960-8E0B-7784B73A7F2D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*\",\"matchCriteriaId\":\"558703AE-DB5E-4DFF-B497-C36694DD7B24\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*\",\"matchCriteriaId\":\"ED6273F2-1165-47A4-8DD7-9E9B2472941B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*\",\"matchCriteriaId\":\"90CD7E85-4FF9-4158-AC78-4BFCBC882A65\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*\",\"matchCriteriaId\":\"7EA56B52-1015-40CD-B10C-393768094269\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*\",\"matchCriteriaId\":\"501B0D4A-D636-4736-979B-D5023599CEFB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*\",\"matchCriteriaId\":\"94E7764F-BF9E-463E-B446-A9A8DB92BB97\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B620311B-34A3-48A6-82DF-6F078D7A4493\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80F0FA5D-8D3B-4C0E-81E2-87998286AF33\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"36D96259-24BD-44E2-96D9-78CE1D41F956\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"902B8056-9E37-443B-8905-8AA93E2447FB\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80C9DBB8-3D50-4D5D-859A-B022EB7C2E64\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D14ABF04-E460-4911-9C6C-B7BCEFE68E9D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"ED43772F-D280-42F6-A292-7198284D6FE7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C650FEDB-E903-4C2D-AD40-282AB5F2E3C2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B6B6FE82-7BFA-481D-99D6-789B146CA18B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4479F76A-4B67-41CC-98C7-C76B81050F8E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.0.0.0\",\"versionEndIncluding\":\"8.4.0.5\",\"matchCriteriaId\":\"12981AA7-BBF6-4158-8F7D-9DD3880FDCC1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.2.0\",\"versionEndIncluding\":\"8.2.2\",\"matchCriteriaId\":\"B51F78F4-8D7E-48C2-86D1-D53A6EB348A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0DB23B9A-571E-4B77-B432-23F3DC9B67D1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.2.0\",\"versionEndIncluding\":\"8.2.2\",\"matchCriteriaId\":\"3E5416A1-EE58-415D-9645-B6A875EBAED2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.2.0\",\"versionEndIncluding\":\"8.2.2\",\"matchCriteriaId\":\"11B0C37E-D7C7-45F2-A8D8-5A3B1B191430\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:database:12.2.0.1:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"46E7237C-00BD-4490-96C3-A8EAE4CE2C0B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:database:19c:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"C1E05472-8F3A-4E46-90E5-50EA6D555FDC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:database:21c:*:*:*:enterprise:*:*:*\",\"matchCriteriaId\":\"02E34416-E767-4F61-8D2C-0D0202351F91\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:fmw_platform:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9C5E9A12-BFE9-4963-A360-A34168A6BF6A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:fmw_platform:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CA2E1357-E3A1-461C-B7A0-A9446E45496D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1A3DC116-2844-47A1-BEC2-D0675DD97148\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0F1DF3E-0F2D-4EFC-9A3E-F72149C8AE94\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"17.1\",\"versionEndIncluding\":\"17.3\",\"matchCriteriaId\":\"9A74FD5F-4FEA-4A74-8B92-72DFDE6BA464\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A2E3E923-E2AD-400D-A618-26ADF7F841A2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9AB58D27-37F2-4A32-B786-3490024290A1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"8.0.21\",\"matchCriteriaId\":\"70C60E6C-1A61-422B-A132-FB024761F576\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EE8CF045-09BB-4069-BCEC-496D5AE3B780\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:siebel_apps_-_marketing:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"21.9\",\"matchCriteriaId\":\"7AACBCC9-FDAC-42DF-B931-BD908CAF5C65\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"20.12\",\"matchCriteriaId\":\"30DB69BD-0F6E-4AB5-A861-7CB911C35660\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:transportation_management:6.3.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A58642E0-CA59-4DE6-A83C-F551FC621C32\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AD848FE1-CFD7-490C-B008-DF3B30F3256F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"630C8E99-FE49-486E-9003-40B82809B7A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C842DE9E-5E12-4295-AFA5-DEB5FEDE490A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mcafee:epolicy_orchestrator:5.9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEB90C24-D252-4099-A7A1-9F8754DFB4A5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mcafee:epolicy_orchestrator:5.9.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"106FDF5A-D377-4E5F-8BF9-09290019C98A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"0F30D3AF-4FA3-4B7A-BE04-C24E2EA19A95\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:*\",\"matchCriteriaId\":\"7B00DDE7-7002-45BE-8EDE-65D964922CB0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:*\",\"matchCriteriaId\":\"FF806B52-DAD5-4D12-8BB6-3CBF9DC6B8DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:*\",\"matchCriteriaId\":\"7DE847E0-431D-497D-9C57-C4E59749F6A0\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.html\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2020/Jun/6\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/03/01/2\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77%40%3Cusers.tomcat.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c%40%3Ccommits.tomee.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469%40%3Cusers.tomcat.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Mitigation\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3Cusers.tomcat.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307926c1f7cd5400c%40%3Ccommits.tomee.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f%40%3Ccommits.tomee.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f%40%3Cusers.tomcat.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3%40%3Ccommits.tomee.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119%40%3Ccommits.tomee.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926%40%3Cusers.tomcat.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cusers.tomcat.apache.org%3E\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/05/msg00020.html\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html\",\"source\":\"security@apache.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GIQHXENTLYUNOES4LXVNJ2NCUQQRF5VJ/\",\"source\":\"security@apache.org\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WJ7XHKWJWDNWXUJH6UB7CLIW4TWOZ26N/\",\"source\":\"security@apache.org\"},{\"url\":\"https://security.gentoo.org/glsa/202006-21\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20200528-0005/\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4448-1/\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4596-1/\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2020/dsa-4727\",\"source\":\"security@apache.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com//security-alerts/cpujul2021.html\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuApr2021.html\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2021.html\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2020.html\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"security@apache.org\"},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2020.html\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"security@apache.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://seclists.org/fulldisclosure/2020/Jun/6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2021/03/01/2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10332\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77%40%3Cusers.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c%40%3Ccommits.tomee.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469%40%3Cusers.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Mitigation\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3Cusers.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307926c1f7cd5400c%40%3Ccommits.tomee.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f%40%3Ccommits.tomee.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f%40%3Cusers.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3%40%3Ccommits.tomee.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119%40%3Ccommits.tomee.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926%40%3Cusers.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cusers.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/05/msg00020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GIQHXENTLYUNOES4LXVNJ2NCUQQRF5VJ/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WJ7XHKWJWDNWXUJH6UB7CLIW4TWOZ26N/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.gentoo.org/glsa/202006-21\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20200528-0005/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4448-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4596-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2020/dsa-4727\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com//security-alerts/cpujul2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuApr2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujan2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpujul2022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2020.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.oracle.com/security-alerts/cpuoct2021.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}"
}
}
RHSA-2020:2529
Vulnerability from csaf_redhat - Published: 2020-06-11 11:36 - Updated: 2026-05-14 22:25Summary
Red Hat Security Advisory: tomcat6 security update
Severity
Important
Notes
Topic: An update for tomcat6 is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
* tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
7.0 (High)
Affected products
Fixed
60 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
13 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for tomcat6 is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:2529",
"url": "https://access.redhat.com/errata/RHSA-2020:2529"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2529.json"
}
],
"title": "Red Hat Security Advisory: tomcat6 security update",
"tracking": {
"current_release_date": "2026-05-14T22:25:36+00:00",
"generator": {
"date": "2026-05-14T22:25:36+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2020:2529",
"initial_release_date": "2020-06-11T11:36:42+00:00",
"revision_history": [
{
"date": "2020-06-11T11:36:42+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-06-11T11:36:42+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:25:36+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Optional (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::workstation"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat6-0:6.0.24-115.el6_10.noarch",
"product": {
"name": "tomcat6-0:6.0.24-115.el6_10.noarch",
"product_id": "tomcat6-0:6.0.24-115.el6_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6@6.0.24-115.el6_10?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"product": {
"name": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"product_id": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6-admin-webapps@6.0.24-115.el6_10?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"product": {
"name": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"product_id": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6-docs-webapp@6.0.24-115.el6_10?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"product": {
"name": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"product_id": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6-el-2.1-api@6.0.24-115.el6_10?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"product": {
"name": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"product_id": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6-javadoc@6.0.24-115.el6_10?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"product": {
"name": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"product_id": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6-jsp-2.1-api@6.0.24-115.el6_10?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"product": {
"name": "tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"product_id": "tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6-lib@6.0.24-115.el6_10?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"product": {
"name": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"product_id": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6-servlet-2.5-api@6.0.24-115.el6_10?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"product": {
"name": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"product_id": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6-webapps@6.0.24-115.el6_10?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat6-0:6.0.24-115.el6_10.src",
"product": {
"name": "tomcat6-0:6.0.24-115.el6_10.src",
"product_id": "tomcat6-0:6.0.24-115.el6_10.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6@6.0.24-115.el6_10?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.src as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.src",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-lib-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.src as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.src",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-lib-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.src as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.src"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.src",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-lib-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.src as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.src",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-lib-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.src as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.src"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.src",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-lib-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.src",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-lib-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-9484",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2020-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1838332"
}
],
"notes": [
{
"category": "description",
"text": "A deserialization flaw was discovered in Apache Tomcat\u0027s use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: deserialization flaw in session persistence storage leading to RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat Enterprise Linux 8, Red Hat Certificate System 10 and Identity Management are using the pki-servlet-engine component, which embeds a vulnerable version of Tomcat. However, in these specific contexts, the prerequisites to the vulnerability are not met. The PersistentManager is not set, and a SecurityManager is used. The use of pki-servlet-engine outside of these contexts is not supported. As a result, the vulnerability can not be triggered in supported configurations of these products. A future update may update Tomcat in pki-servlet-engine.\n\nRed Hat Satellite do not ship Tomcat and rather use its configuration. The product is not affected because configuration does not make use of PersistanceManager or FileStore. Tomcat updates can be obtain from Red Hat Enterprise Linux (RHEL) RHSA.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Client-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6ComputeNode-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Server-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Server-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Workstation-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Workstation-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9484"
},
{
"category": "external",
"summary": "RHBZ#1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9484",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9484"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484"
},
{
"category": "external",
"summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E",
"url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5",
"url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104",
"url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55",
"url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35",
"url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35"
}
],
"release_date": "2020-05-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-06-11T11:36:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Client-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6ComputeNode-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Server-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Server-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Workstation-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Workstation-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2529"
},
{
"category": "workaround",
"details": "Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized. For more details about the configuration, refer to the Apache Tomcat 9 Configuration Reference https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html.",
"product_ids": [
"6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Client-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6ComputeNode-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Server-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Server-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Workstation-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Workstation-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Client-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6ComputeNode-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Server-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Server-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Workstation-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Workstation-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tomcat: deserialization flaw in session persistence storage leading to RCE"
}
]
}
RHSA-2020:2530
Vulnerability from csaf_redhat - Published: 2020-06-11 14:04 - Updated: 2026-05-14 22:25Summary
Red Hat Security Advisory: tomcat security update
Severity
Important
Notes
Topic: An update for tomcat is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
* tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
7.0 (High)
Affected products
Fixed
88 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
13 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for tomcat is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:2530",
"url": "https://access.redhat.com/errata/RHSA-2020:2530"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2530.json"
}
],
"title": "Red Hat Security Advisory: tomcat security update",
"tracking": {
"current_release_date": "2026-05-14T22:25:35+00:00",
"generator": {
"date": "2026-05-14T22:25:35+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2020:2530",
"initial_release_date": "2020-06-11T14:04:22+00:00",
"revision_history": [
{
"date": "2020-06-11T14:04:22+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-06-11T14:04:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:25:35+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ComputeNode (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat@7.0.76-12.el7_8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-admin-webapps@7.0.76-12.el7_8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-el-2.2-api@7.0.76-12.el7_8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-jsp-2.2-api@7.0.76-12.el7_8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-lib@7.0.76-12.el7_8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-servlet-3.0-api@7.0.76-12.el7_8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-webapps@7.0.76-12.el7_8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-docs-webapp@7.0.76-12.el7_8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-javadoc@7.0.76-12.el7_8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-jsvc@7.0.76-12.el7_8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat-0:7.0.76-12.el7_8.src",
"product": {
"name": "tomcat-0:7.0.76-12.el7_8.src",
"product_id": "tomcat-0:7.0.76-12.el7_8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat@7.0.76-12.el7_8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.src as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.src"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.src",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.src",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.src as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.src"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.src",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.src",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.src as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.src"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.src",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.src",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.src as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.src"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.src",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.src",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-9484",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2020-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1838332"
}
],
"notes": [
{
"category": "description",
"text": "A deserialization flaw was discovered in Apache Tomcat\u0027s use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: deserialization flaw in session persistence storage leading to RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat Enterprise Linux 8, Red Hat Certificate System 10 and Identity Management are using the pki-servlet-engine component, which embeds a vulnerable version of Tomcat. However, in these specific contexts, the prerequisites to the vulnerability are not met. The PersistentManager is not set, and a SecurityManager is used. The use of pki-servlet-engine outside of these contexts is not supported. As a result, the vulnerability can not be triggered in supported configurations of these products. A future update may update Tomcat in pki-servlet-engine.\n\nRed Hat Satellite do not ship Tomcat and rather use its configuration. The product is not affected because configuration does not make use of PersistanceManager or FileStore. Tomcat updates can be obtain from Red Hat Enterprise Linux (RHEL) RHSA.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Client-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Client-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7ComputeNode-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7ComputeNode-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Server-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Server-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Workstation-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Workstation-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9484"
},
{
"category": "external",
"summary": "RHBZ#1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9484",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9484"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484"
},
{
"category": "external",
"summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E",
"url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5",
"url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104",
"url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55",
"url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35",
"url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35"
}
],
"release_date": "2020-05-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-06-11T14:04:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Client-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Client-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7ComputeNode-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7ComputeNode-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Server-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Server-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Workstation-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Workstation-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2530"
},
{
"category": "workaround",
"details": "Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized. For more details about the configuration, refer to the Apache Tomcat 9 Configuration Reference https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html.",
"product_ids": [
"7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Client-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Client-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7ComputeNode-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7ComputeNode-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Server-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Server-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Workstation-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Workstation-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Client-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Client-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7ComputeNode-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7ComputeNode-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Server-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Server-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Workstation-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Workstation-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tomcat: deserialization flaw in session persistence storage leading to RCE"
}
]
}
RHSA-2020:3017
Vulnerability from csaf_redhat - Published: 2020-07-27 13:08 - Updated: 2026-05-14 22:30Summary
Red Hat Security Advisory: Red Hat support for Spring Boot 2.1.15 security and bug fix update
Severity
Important
Notes
Topic: An update is now available for Red Hat support for Spring Boot.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform.
This release of Red Hat support for Spring Boot 2.1.15 serves as a replacement for Red Hat support for Spring Boot 2.1.13, and includes security and bug fixes and enhancements. For further information, refer to the release notes linked to in the References section.
Security Fix(es):
* keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714)
* tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Runtimes Spring Boot 2.1.15
Red Hat / Red Hat OpenShift Application Runtimes
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
7.0 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Runtimes Spring Boot 2.1.15
Red Hat / Red Hat OpenShift Application Runtimes
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
20 references
Acknowledgments
Thomas Darimont
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat support for Spring Boot.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform.\n\nThis release of Red Hat support for Spring Boot 2.1.15 serves as a replacement for Red Hat support for Spring Boot 2.1.13, and includes security and bug fixes and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714)\n\n* tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:3017",
"url": "https://access.redhat.com/errata/RHSA-2020:3017"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=catRhoar.spring.boot\u0026version=2.1.15",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=catRhoar.spring.boot\u0026version=2.1.15"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.1/html-single/release_notes_for_spring_boot_2.1/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.1/html-single/release_notes_for_spring_boot_2.1/index"
},
{
"category": "external",
"summary": "1705975",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1705975"
},
{
"category": "external",
"summary": "1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_3017.json"
}
],
"title": "Red Hat Security Advisory: Red Hat support for Spring Boot 2.1.15 security and bug fix update",
"tracking": {
"current_release_date": "2026-05-14T22:30:10+00:00",
"generator": {
"date": "2026-05-14T22:30:10+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2020:3017",
"initial_release_date": "2020-07-27T13:08:48+00:00",
"revision_history": [
{
"date": "2020-07-27T13:08:48+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-07-27T13:08:48+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-14T22:30:10+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Runtimes Spring Boot 2.1.15",
"product": {
"name": "Red Hat Runtimes Spring Boot 2.1.15",
"product_id": "Red Hat Runtimes Spring Boot 2.1.15",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Application Runtimes"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Thomas Darimont"
]
}
],
"cve": "CVE-2020-1714",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2019-04-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1705975"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Runtimes Spring Boot 2.1.15"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-1714"
},
{
"category": "external",
"summary": "RHBZ#1705975",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1705975"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-1714",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1714"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1714",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1714"
}
],
"release_date": "2020-05-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-27T13:08:48+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Runtimes Spring Boot 2.1.15"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3017"
},
{
"category": "workaround",
"details": "There is currently no known mitigation for this issue.",
"product_ids": [
"Red Hat Runtimes Spring Boot 2.1.15"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat Runtimes Spring Boot 2.1.15"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution"
},
{
"cve": "CVE-2020-9484",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2020-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1838332"
}
],
"notes": [
{
"category": "description",
"text": "A deserialization flaw was discovered in Apache Tomcat\u0027s use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: deserialization flaw in session persistence storage leading to RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat Enterprise Linux 8, Red Hat Certificate System 10 and Identity Management are using the pki-servlet-engine component, which embeds a vulnerable version of Tomcat. However, in these specific contexts, the prerequisites to the vulnerability are not met. The PersistentManager is not set, and a SecurityManager is used. The use of pki-servlet-engine outside of these contexts is not supported. As a result, the vulnerability can not be triggered in supported configurations of these products. A future update may update Tomcat in pki-servlet-engine.\n\nRed Hat Satellite do not ship Tomcat and rather use its configuration. The product is not affected because configuration does not make use of PersistanceManager or FileStore. Tomcat updates can be obtain from Red Hat Enterprise Linux (RHEL) RHSA.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Runtimes Spring Boot 2.1.15"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9484"
},
{
"category": "external",
"summary": "RHBZ#1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9484",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9484"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484"
},
{
"category": "external",
"summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E",
"url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5",
"url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104",
"url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55",
"url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35",
"url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35"
}
],
"release_date": "2020-05-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-27T13:08:48+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Runtimes Spring Boot 2.1.15"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3017"
},
{
"category": "workaround",
"details": "Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized. For more details about the configuration, refer to the Apache Tomcat 9 Configuration Reference https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html.",
"product_ids": [
"Red Hat Runtimes Spring Boot 2.1.15"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Runtimes Spring Boot 2.1.15"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tomcat: deserialization flaw in session persistence storage leading to RCE"
}
]
}
RHSA-2020_2483
Vulnerability from csaf_redhat - Published: 2020-06-10 14:52 - Updated: 2024-11-15 09:34Summary
Red Hat Security Advisory: Red Hat JBoss Web Server 3.1 Service Pack 9 security update
Severity
Important
Notes
Topic: An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and RHEL 7.
Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 3.1 Service Pack 9 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* tomcat: Apache Tomcat Remote Code Execution via session persistence (CVE-2020-9484)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
7.0 (High)
Affected products
Fixed
60 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 6Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-40.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-40.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-40.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-40.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-40.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat7-lib-0:7.0.70-40.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-40.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-40.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-40.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el6.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-44.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-44.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-44.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-44.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-44.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat8-lib-0:8.0.36-44.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-44.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-44.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-44.ep7.el6.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el7.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-40.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-40.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-40.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-40.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-40.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat7-lib-0:7.0.70-40.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-40.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-40.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-40.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el7.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-44.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-44.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-44.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-44.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-44.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat8-lib-0:8.0.36-44.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-44.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-44.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-44.ep7.el7.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
13 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and RHEL 7.\n\nRed Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 9 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* tomcat: Apache Tomcat Remote Code Execution via session persistence (CVE-2020-9484)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:2483",
"url": "https://access.redhat.com/errata/RHSA-2020:2483"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2483.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Web Server 3.1 Service Pack 9 security update",
"tracking": {
"current_release_date": "2024-11-15T09:34:10+00:00",
"generator": {
"date": "2024-11-15T09:34:10+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2020:2483",
"initial_release_date": "2020-06-10T14:52:29+00:00",
"revision_history": [
{
"date": "2020-06-10T14:52:29+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-06-10T14:52:29+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T09:34:10+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Web Server 3.1 for RHEL 7",
"product": {
"name": "Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Web Server 3.1 for RHEL 6",
"product": {
"name": "Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Web Server"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat7-0:7.0.70-40.ep7.el7.noarch",
"product": {
"name": "tomcat7-0:7.0.70-40.ep7.el7.noarch",
"product_id": "tomcat7-0:7.0.70-40.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7@7.0.70-40.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-admin-webapps-0:7.0.70-40.ep7.el7.noarch",
"product": {
"name": "tomcat7-admin-webapps-0:7.0.70-40.ep7.el7.noarch",
"product_id": "tomcat7-admin-webapps-0:7.0.70-40.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-admin-webapps@7.0.70-40.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-docs-webapp-0:7.0.70-40.ep7.el7.noarch",
"product": {
"name": "tomcat7-docs-webapp-0:7.0.70-40.ep7.el7.noarch",
"product_id": "tomcat7-docs-webapp-0:7.0.70-40.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-docs-webapp@7.0.70-40.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-el-2.2-api-0:7.0.70-40.ep7.el7.noarch",
"product": {
"name": "tomcat7-el-2.2-api-0:7.0.70-40.ep7.el7.noarch",
"product_id": "tomcat7-el-2.2-api-0:7.0.70-40.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-el-2.2-api@7.0.70-40.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-javadoc-0:7.0.70-40.ep7.el7.noarch",
"product": {
"name": "tomcat7-javadoc-0:7.0.70-40.ep7.el7.noarch",
"product_id": "tomcat7-javadoc-0:7.0.70-40.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-javadoc@7.0.70-40.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el7.noarch",
"product": {
"name": "tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el7.noarch",
"product_id": "tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-jsp-2.2-api@7.0.70-40.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-jsvc-0:7.0.70-40.ep7.el7.noarch",
"product": {
"name": "tomcat7-jsvc-0:7.0.70-40.ep7.el7.noarch",
"product_id": "tomcat7-jsvc-0:7.0.70-40.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-jsvc@7.0.70-40.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-lib-0:7.0.70-40.ep7.el7.noarch",
"product": {
"name": "tomcat7-lib-0:7.0.70-40.ep7.el7.noarch",
"product_id": "tomcat7-lib-0:7.0.70-40.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-lib@7.0.70-40.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-log4j-0:7.0.70-40.ep7.el7.noarch",
"product": {
"name": "tomcat7-log4j-0:7.0.70-40.ep7.el7.noarch",
"product_id": "tomcat7-log4j-0:7.0.70-40.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-log4j@7.0.70-40.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-selinux-0:7.0.70-40.ep7.el7.noarch",
"product": {
"name": "tomcat7-selinux-0:7.0.70-40.ep7.el7.noarch",
"product_id": "tomcat7-selinux-0:7.0.70-40.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-selinux@7.0.70-40.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el7.noarch",
"product": {
"name": "tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el7.noarch",
"product_id": "tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-servlet-3.0-api@7.0.70-40.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-webapps-0:7.0.70-40.ep7.el7.noarch",
"product": {
"name": "tomcat7-webapps-0:7.0.70-40.ep7.el7.noarch",
"product_id": "tomcat7-webapps-0:7.0.70-40.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-webapps@7.0.70-40.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-0:8.0.36-44.ep7.el7.noarch",
"product": {
"name": "tomcat8-0:8.0.36-44.ep7.el7.noarch",
"product_id": "tomcat8-0:8.0.36-44.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8@8.0.36-44.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-admin-webapps-0:8.0.36-44.ep7.el7.noarch",
"product": {
"name": "tomcat8-admin-webapps-0:8.0.36-44.ep7.el7.noarch",
"product_id": "tomcat8-admin-webapps-0:8.0.36-44.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-admin-webapps@8.0.36-44.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-docs-webapp-0:8.0.36-44.ep7.el7.noarch",
"product": {
"name": "tomcat8-docs-webapp-0:8.0.36-44.ep7.el7.noarch",
"product_id": "tomcat8-docs-webapp-0:8.0.36-44.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-docs-webapp@8.0.36-44.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-el-2.2-api-0:8.0.36-44.ep7.el7.noarch",
"product": {
"name": "tomcat8-el-2.2-api-0:8.0.36-44.ep7.el7.noarch",
"product_id": "tomcat8-el-2.2-api-0:8.0.36-44.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-el-2.2-api@8.0.36-44.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-javadoc-0:8.0.36-44.ep7.el7.noarch",
"product": {
"name": "tomcat8-javadoc-0:8.0.36-44.ep7.el7.noarch",
"product_id": "tomcat8-javadoc-0:8.0.36-44.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-javadoc@8.0.36-44.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el7.noarch",
"product": {
"name": "tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el7.noarch",
"product_id": "tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-jsp-2.3-api@8.0.36-44.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-jsvc-0:8.0.36-44.ep7.el7.noarch",
"product": {
"name": "tomcat8-jsvc-0:8.0.36-44.ep7.el7.noarch",
"product_id": "tomcat8-jsvc-0:8.0.36-44.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-jsvc@8.0.36-44.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-lib-0:8.0.36-44.ep7.el7.noarch",
"product": {
"name": "tomcat8-lib-0:8.0.36-44.ep7.el7.noarch",
"product_id": "tomcat8-lib-0:8.0.36-44.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-lib@8.0.36-44.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-log4j-0:8.0.36-44.ep7.el7.noarch",
"product": {
"name": "tomcat8-log4j-0:8.0.36-44.ep7.el7.noarch",
"product_id": "tomcat8-log4j-0:8.0.36-44.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-log4j@8.0.36-44.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-selinux-0:8.0.36-44.ep7.el7.noarch",
"product": {
"name": "tomcat8-selinux-0:8.0.36-44.ep7.el7.noarch",
"product_id": "tomcat8-selinux-0:8.0.36-44.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-selinux@8.0.36-44.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el7.noarch",
"product": {
"name": "tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el7.noarch",
"product_id": "tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-servlet-3.1-api@8.0.36-44.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-webapps-0:8.0.36-44.ep7.el7.noarch",
"product": {
"name": "tomcat8-webapps-0:8.0.36-44.ep7.el7.noarch",
"product_id": "tomcat8-webapps-0:8.0.36-44.ep7.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-webapps@8.0.36-44.ep7.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-0:8.0.36-44.ep7.el6.noarch",
"product": {
"name": "tomcat8-0:8.0.36-44.ep7.el6.noarch",
"product_id": "tomcat8-0:8.0.36-44.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8@8.0.36-44.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-admin-webapps-0:8.0.36-44.ep7.el6.noarch",
"product": {
"name": "tomcat8-admin-webapps-0:8.0.36-44.ep7.el6.noarch",
"product_id": "tomcat8-admin-webapps-0:8.0.36-44.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-admin-webapps@8.0.36-44.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-docs-webapp-0:8.0.36-44.ep7.el6.noarch",
"product": {
"name": "tomcat8-docs-webapp-0:8.0.36-44.ep7.el6.noarch",
"product_id": "tomcat8-docs-webapp-0:8.0.36-44.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-docs-webapp@8.0.36-44.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-el-2.2-api-0:8.0.36-44.ep7.el6.noarch",
"product": {
"name": "tomcat8-el-2.2-api-0:8.0.36-44.ep7.el6.noarch",
"product_id": "tomcat8-el-2.2-api-0:8.0.36-44.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-el-2.2-api@8.0.36-44.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-javadoc-0:8.0.36-44.ep7.el6.noarch",
"product": {
"name": "tomcat8-javadoc-0:8.0.36-44.ep7.el6.noarch",
"product_id": "tomcat8-javadoc-0:8.0.36-44.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-javadoc@8.0.36-44.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el6.noarch",
"product": {
"name": "tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el6.noarch",
"product_id": "tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-jsp-2.3-api@8.0.36-44.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-jsvc-0:8.0.36-44.ep7.el6.noarch",
"product": {
"name": "tomcat8-jsvc-0:8.0.36-44.ep7.el6.noarch",
"product_id": "tomcat8-jsvc-0:8.0.36-44.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-jsvc@8.0.36-44.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-lib-0:8.0.36-44.ep7.el6.noarch",
"product": {
"name": "tomcat8-lib-0:8.0.36-44.ep7.el6.noarch",
"product_id": "tomcat8-lib-0:8.0.36-44.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-lib@8.0.36-44.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-log4j-0:8.0.36-44.ep7.el6.noarch",
"product": {
"name": "tomcat8-log4j-0:8.0.36-44.ep7.el6.noarch",
"product_id": "tomcat8-log4j-0:8.0.36-44.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-log4j@8.0.36-44.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-selinux-0:8.0.36-44.ep7.el6.noarch",
"product": {
"name": "tomcat8-selinux-0:8.0.36-44.ep7.el6.noarch",
"product_id": "tomcat8-selinux-0:8.0.36-44.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-selinux@8.0.36-44.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el6.noarch",
"product": {
"name": "tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el6.noarch",
"product_id": "tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-servlet-3.1-api@8.0.36-44.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat8-webapps-0:8.0.36-44.ep7.el6.noarch",
"product": {
"name": "tomcat8-webapps-0:8.0.36-44.ep7.el6.noarch",
"product_id": "tomcat8-webapps-0:8.0.36-44.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8-webapps@8.0.36-44.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-0:7.0.70-40.ep7.el6.noarch",
"product": {
"name": "tomcat7-0:7.0.70-40.ep7.el6.noarch",
"product_id": "tomcat7-0:7.0.70-40.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7@7.0.70-40.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-admin-webapps-0:7.0.70-40.ep7.el6.noarch",
"product": {
"name": "tomcat7-admin-webapps-0:7.0.70-40.ep7.el6.noarch",
"product_id": "tomcat7-admin-webapps-0:7.0.70-40.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-admin-webapps@7.0.70-40.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-docs-webapp-0:7.0.70-40.ep7.el6.noarch",
"product": {
"name": "tomcat7-docs-webapp-0:7.0.70-40.ep7.el6.noarch",
"product_id": "tomcat7-docs-webapp-0:7.0.70-40.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-docs-webapp@7.0.70-40.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-el-2.2-api-0:7.0.70-40.ep7.el6.noarch",
"product": {
"name": "tomcat7-el-2.2-api-0:7.0.70-40.ep7.el6.noarch",
"product_id": "tomcat7-el-2.2-api-0:7.0.70-40.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-el-2.2-api@7.0.70-40.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-javadoc-0:7.0.70-40.ep7.el6.noarch",
"product": {
"name": "tomcat7-javadoc-0:7.0.70-40.ep7.el6.noarch",
"product_id": "tomcat7-javadoc-0:7.0.70-40.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-javadoc@7.0.70-40.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el6.noarch",
"product": {
"name": "tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el6.noarch",
"product_id": "tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-jsp-2.2-api@7.0.70-40.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-jsvc-0:7.0.70-40.ep7.el6.noarch",
"product": {
"name": "tomcat7-jsvc-0:7.0.70-40.ep7.el6.noarch",
"product_id": "tomcat7-jsvc-0:7.0.70-40.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-jsvc@7.0.70-40.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-lib-0:7.0.70-40.ep7.el6.noarch",
"product": {
"name": "tomcat7-lib-0:7.0.70-40.ep7.el6.noarch",
"product_id": "tomcat7-lib-0:7.0.70-40.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-lib@7.0.70-40.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-log4j-0:7.0.70-40.ep7.el6.noarch",
"product": {
"name": "tomcat7-log4j-0:7.0.70-40.ep7.el6.noarch",
"product_id": "tomcat7-log4j-0:7.0.70-40.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-log4j@7.0.70-40.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-selinux-0:7.0.70-40.ep7.el6.noarch",
"product": {
"name": "tomcat7-selinux-0:7.0.70-40.ep7.el6.noarch",
"product_id": "tomcat7-selinux-0:7.0.70-40.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-selinux@7.0.70-40.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el6.noarch",
"product": {
"name": "tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el6.noarch",
"product_id": "tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-servlet-3.0-api@7.0.70-40.ep7.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat7-webapps-0:7.0.70-40.ep7.el6.noarch",
"product": {
"name": "tomcat7-webapps-0:7.0.70-40.ep7.el6.noarch",
"product_id": "tomcat7-webapps-0:7.0.70-40.ep7.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7-webapps@7.0.70-40.ep7.el6?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat7-0:7.0.70-40.ep7.el7.src",
"product": {
"name": "tomcat7-0:7.0.70-40.ep7.el7.src",
"product_id": "tomcat7-0:7.0.70-40.ep7.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7@7.0.70-40.ep7.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "tomcat8-0:8.0.36-44.ep7.el7.src",
"product": {
"name": "tomcat8-0:8.0.36-44.ep7.el7.src",
"product_id": "tomcat8-0:8.0.36-44.ep7.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8@8.0.36-44.ep7.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.src",
"product": {
"name": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.src",
"product_id": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-native@1.2.23-22.redhat_22.ep7.el7?arch=src"
}
}
},
{
"category": "product_version",
"name": "tomcat8-0:8.0.36-44.ep7.el6.src",
"product": {
"name": "tomcat8-0:8.0.36-44.ep7.el6.src",
"product_id": "tomcat8-0:8.0.36-44.ep7.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat8@8.0.36-44.ep7.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "tomcat7-0:7.0.70-40.ep7.el6.src",
"product": {
"name": "tomcat7-0:7.0.70-40.ep7.el6.src",
"product_id": "tomcat7-0:7.0.70-40.ep7.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat7@7.0.70-40.ep7.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.src",
"product": {
"name": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.src",
"product_id": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-native@1.2.23-22.redhat_22.ep7.el6?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.x86_64",
"product": {
"name": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.x86_64",
"product_id": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-native@1.2.23-22.redhat_22.ep7.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el7.x86_64",
"product": {
"name": "tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el7.x86_64",
"product_id": "tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-native-debuginfo@1.2.23-22.redhat_22.ep7.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.x86_64",
"product": {
"name": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.x86_64",
"product_id": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-native@1.2.23-22.redhat_22.ep7.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.x86_64",
"product": {
"name": "tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.x86_64",
"product_id": "tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-native-debuginfo@1.2.23-22.redhat_22.ep7.el6?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.i686",
"product": {
"name": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.i686",
"product_id": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-native@1.2.23-22.redhat_22.ep7.el6?arch=i686"
}
}
},
{
"category": "product_version",
"name": "tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.i686",
"product": {
"name": "tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.i686",
"product_id": "tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-native-debuginfo@1.2.23-22.redhat_22.ep7.el6?arch=i686"
}
}
}
],
"category": "architecture",
"name": "i686"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.i686 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.i686"
},
"product_reference": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.i686",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.src"
},
"product_reference": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.src",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.x86_64"
},
"product_reference": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.x86_64",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.i686 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.i686"
},
"product_reference": "tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.i686",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.x86_64"
},
"product_reference": "tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.x86_64",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-0:7.0.70-40.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el6.noarch"
},
"product_reference": "tomcat7-0:7.0.70-40.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-0:7.0.70-40.ep7.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el6.src"
},
"product_reference": "tomcat7-0:7.0.70-40.ep7.el6.src",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-admin-webapps-0:7.0.70-40.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-40.ep7.el6.noarch"
},
"product_reference": "tomcat7-admin-webapps-0:7.0.70-40.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-docs-webapp-0:7.0.70-40.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-40.ep7.el6.noarch"
},
"product_reference": "tomcat7-docs-webapp-0:7.0.70-40.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-el-2.2-api-0:7.0.70-40.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-40.ep7.el6.noarch"
},
"product_reference": "tomcat7-el-2.2-api-0:7.0.70-40.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-javadoc-0:7.0.70-40.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-40.ep7.el6.noarch"
},
"product_reference": "tomcat7-javadoc-0:7.0.70-40.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el6.noarch"
},
"product_reference": "tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-jsvc-0:7.0.70-40.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-40.ep7.el6.noarch"
},
"product_reference": "tomcat7-jsvc-0:7.0.70-40.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-lib-0:7.0.70-40.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-40.ep7.el6.noarch"
},
"product_reference": "tomcat7-lib-0:7.0.70-40.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-log4j-0:7.0.70-40.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-40.ep7.el6.noarch"
},
"product_reference": "tomcat7-log4j-0:7.0.70-40.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-selinux-0:7.0.70-40.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-40.ep7.el6.noarch"
},
"product_reference": "tomcat7-selinux-0:7.0.70-40.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el6.noarch"
},
"product_reference": "tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-webapps-0:7.0.70-40.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-40.ep7.el6.noarch"
},
"product_reference": "tomcat7-webapps-0:7.0.70-40.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-0:8.0.36-44.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el6.noarch"
},
"product_reference": "tomcat8-0:8.0.36-44.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-0:8.0.36-44.ep7.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el6.src"
},
"product_reference": "tomcat8-0:8.0.36-44.ep7.el6.src",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-admin-webapps-0:8.0.36-44.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-44.ep7.el6.noarch"
},
"product_reference": "tomcat8-admin-webapps-0:8.0.36-44.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-docs-webapp-0:8.0.36-44.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-44.ep7.el6.noarch"
},
"product_reference": "tomcat8-docs-webapp-0:8.0.36-44.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-el-2.2-api-0:8.0.36-44.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-44.ep7.el6.noarch"
},
"product_reference": "tomcat8-el-2.2-api-0:8.0.36-44.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-javadoc-0:8.0.36-44.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-44.ep7.el6.noarch"
},
"product_reference": "tomcat8-javadoc-0:8.0.36-44.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el6.noarch"
},
"product_reference": "tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-jsvc-0:8.0.36-44.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-44.ep7.el6.noarch"
},
"product_reference": "tomcat8-jsvc-0:8.0.36-44.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-lib-0:8.0.36-44.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-44.ep7.el6.noarch"
},
"product_reference": "tomcat8-lib-0:8.0.36-44.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-log4j-0:8.0.36-44.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-44.ep7.el6.noarch"
},
"product_reference": "tomcat8-log4j-0:8.0.36-44.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-selinux-0:8.0.36-44.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-44.ep7.el6.noarch"
},
"product_reference": "tomcat8-selinux-0:8.0.36-44.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el6.noarch"
},
"product_reference": "tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-webapps-0:8.0.36-44.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6",
"product_id": "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-44.ep7.el6.noarch"
},
"product_reference": "tomcat8-webapps-0:8.0.36-44.ep7.el6.noarch",
"relates_to_product_reference": "6Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.src"
},
"product_reference": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.src",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.x86_64"
},
"product_reference": "tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.x86_64",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el7.x86_64"
},
"product_reference": "tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el7.x86_64",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-0:7.0.70-40.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el7.noarch"
},
"product_reference": "tomcat7-0:7.0.70-40.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-0:7.0.70-40.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el7.src"
},
"product_reference": "tomcat7-0:7.0.70-40.ep7.el7.src",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-admin-webapps-0:7.0.70-40.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-40.ep7.el7.noarch"
},
"product_reference": "tomcat7-admin-webapps-0:7.0.70-40.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-docs-webapp-0:7.0.70-40.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-40.ep7.el7.noarch"
},
"product_reference": "tomcat7-docs-webapp-0:7.0.70-40.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-el-2.2-api-0:7.0.70-40.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-40.ep7.el7.noarch"
},
"product_reference": "tomcat7-el-2.2-api-0:7.0.70-40.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-javadoc-0:7.0.70-40.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-40.ep7.el7.noarch"
},
"product_reference": "tomcat7-javadoc-0:7.0.70-40.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el7.noarch"
},
"product_reference": "tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-jsvc-0:7.0.70-40.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-40.ep7.el7.noarch"
},
"product_reference": "tomcat7-jsvc-0:7.0.70-40.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-lib-0:7.0.70-40.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-40.ep7.el7.noarch"
},
"product_reference": "tomcat7-lib-0:7.0.70-40.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-log4j-0:7.0.70-40.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-40.ep7.el7.noarch"
},
"product_reference": "tomcat7-log4j-0:7.0.70-40.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-selinux-0:7.0.70-40.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-40.ep7.el7.noarch"
},
"product_reference": "tomcat7-selinux-0:7.0.70-40.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el7.noarch"
},
"product_reference": "tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat7-webapps-0:7.0.70-40.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-40.ep7.el7.noarch"
},
"product_reference": "tomcat7-webapps-0:7.0.70-40.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-0:8.0.36-44.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el7.noarch"
},
"product_reference": "tomcat8-0:8.0.36-44.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-0:8.0.36-44.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el7.src"
},
"product_reference": "tomcat8-0:8.0.36-44.ep7.el7.src",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-admin-webapps-0:8.0.36-44.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-44.ep7.el7.noarch"
},
"product_reference": "tomcat8-admin-webapps-0:8.0.36-44.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-docs-webapp-0:8.0.36-44.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-44.ep7.el7.noarch"
},
"product_reference": "tomcat8-docs-webapp-0:8.0.36-44.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-el-2.2-api-0:8.0.36-44.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-44.ep7.el7.noarch"
},
"product_reference": "tomcat8-el-2.2-api-0:8.0.36-44.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-javadoc-0:8.0.36-44.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-44.ep7.el7.noarch"
},
"product_reference": "tomcat8-javadoc-0:8.0.36-44.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el7.noarch"
},
"product_reference": "tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-jsvc-0:8.0.36-44.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-44.ep7.el7.noarch"
},
"product_reference": "tomcat8-jsvc-0:8.0.36-44.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-lib-0:8.0.36-44.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-44.ep7.el7.noarch"
},
"product_reference": "tomcat8-lib-0:8.0.36-44.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-log4j-0:8.0.36-44.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-44.ep7.el7.noarch"
},
"product_reference": "tomcat8-log4j-0:8.0.36-44.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-selinux-0:8.0.36-44.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-44.ep7.el7.noarch"
},
"product_reference": "tomcat8-selinux-0:8.0.36-44.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el7.noarch"
},
"product_reference": "tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat8-webapps-0:8.0.36-44.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7",
"product_id": "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-44.ep7.el7.noarch"
},
"product_reference": "tomcat8-webapps-0:8.0.36-44.ep7.el7.noarch",
"relates_to_product_reference": "7Server-JWS-3.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-9484",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2020-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1838332"
}
],
"notes": [
{
"category": "description",
"text": "A deserialization flaw was discovered in Apache Tomcat\u0027s use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: deserialization flaw in session persistence storage leading to RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat Enterprise Linux 8, Red Hat Certificate System 10 and Identity Management are using the pki-servlet-engine component, which embeds a vulnerable version of Tomcat. However, in these specific contexts, the prerequisites to the vulnerability are not met. The PersistentManager is not set, and a SecurityManager is used. The use of pki-servlet-engine outside of these contexts is not supported. As a result, the vulnerability can not be triggered in supported configurations of these products. A future update may update Tomcat in pki-servlet-engine.\n\nRed Hat Satellite do not ship Tomcat and rather use its configuration. The product is not affected because configuration does not make use of PersistanceManager or FileStore. Tomcat updates can be obtain from Red Hat Enterprise Linux (RHEL) RHSA.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.i686",
"6Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.src",
"6Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.x86_64",
"6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.i686",
"6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.x86_64",
"6Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el6.src",
"6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-lib-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el6.src",
"6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-lib-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-44.ep7.el6.noarch",
"7Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.src",
"7Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.x86_64",
"7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el7.x86_64",
"7Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el7.src",
"7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-lib-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el7.src",
"7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-lib-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-44.ep7.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9484"
},
{
"category": "external",
"summary": "RHBZ#1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9484",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9484"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484"
},
{
"category": "external",
"summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E",
"url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5",
"url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104",
"url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55",
"url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35",
"url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35"
}
],
"release_date": "2020-05-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-06-10T14:52:29+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.i686",
"6Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.src",
"6Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.x86_64",
"6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.i686",
"6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.x86_64",
"6Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el6.src",
"6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-lib-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el6.src",
"6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-lib-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-44.ep7.el6.noarch",
"7Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.src",
"7Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.x86_64",
"7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el7.x86_64",
"7Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el7.src",
"7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-lib-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el7.src",
"7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-lib-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-44.ep7.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2483"
},
{
"category": "workaround",
"details": "Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized. For more details about the configuration, refer to the Apache Tomcat 9 Configuration Reference https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html.",
"product_ids": [
"6Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.i686",
"6Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.src",
"6Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.x86_64",
"6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.i686",
"6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.x86_64",
"6Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el6.src",
"6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-lib-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el6.src",
"6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-lib-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-44.ep7.el6.noarch",
"7Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.src",
"7Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.x86_64",
"7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el7.x86_64",
"7Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el7.src",
"7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-lib-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el7.src",
"7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-lib-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-44.ep7.el7.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"6Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.i686",
"6Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.src",
"6Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el6.x86_64",
"6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.i686",
"6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el6.x86_64",
"6Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el6.src",
"6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-lib-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-40.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el6.src",
"6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-lib-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el6.noarch",
"6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-44.ep7.el6.noarch",
"7Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.src",
"7Server-JWS-3.1:tomcat-native-0:1.2.23-22.redhat_22.ep7.el7.x86_64",
"7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.23-22.redhat_22.ep7.el7.x86_64",
"7Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-0:7.0.70-40.ep7.el7.src",
"7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-lib-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-40.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-0:8.0.36-44.ep7.el7.src",
"7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-lib-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-44.ep7.el7.noarch",
"7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-44.ep7.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tomcat: deserialization flaw in session persistence storage leading to RCE"
}
]
}
RHSA-2020_2487
Vulnerability from csaf_redhat - Published: 2020-06-10 15:04 - Updated: 2024-11-15 09:34Summary
Red Hat Security Advisory: Red Hat JBoss Web Server 3.1 Service Pack 9 security update
Severity
Important
Notes
Topic: An update is now available for Red Hat JBoss Web Server 3.1, for RHEL 6, RHEL 7 and Windows.
Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 3.1 Service Pack 9 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.
Security Fix(es):
* tomcat: Apache Tomcat Remote Code Execution via session persistence (CVE-2020-9484)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
7.0 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Web Server 3.1
Red Hat / Red Hat JBoss Web Server
|
cpe:/a:redhat:jboss_enterprise_web_server:3.1
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
15 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat JBoss Web Server 3.1, for RHEL 6, RHEL 7 and Windows.\n\nRed Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 9 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* tomcat: Apache Tomcat Remote Code Execution via session persistence (CVE-2020-9484)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:2487",
"url": "https://access.redhat.com/errata/RHSA-2020:2487"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver\u0026downloadType=securityPatches\u0026version=3.1",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver\u0026downloadType=securityPatches\u0026version=3.1"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/"
},
{
"category": "external",
"summary": "1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2487.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Web Server 3.1 Service Pack 9 security update",
"tracking": {
"current_release_date": "2024-11-15T09:34:18+00:00",
"generator": {
"date": "2024-11-15T09:34:18+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2020:2487",
"initial_release_date": "2020-06-10T15:04:00+00:00",
"revision_history": [
{
"date": "2020-06-10T15:04:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-06-10T15:04:00+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T09:34:18+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Web Server 3.1",
"product": {
"name": "Red Hat JBoss Web Server 3.1",
"product_id": "Red Hat JBoss Web Server 3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:3.1"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Web Server"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-9484",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2020-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1838332"
}
],
"notes": [
{
"category": "description",
"text": "A deserialization flaw was discovered in Apache Tomcat\u0027s use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: deserialization flaw in session persistence storage leading to RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat Enterprise Linux 8, Red Hat Certificate System 10 and Identity Management are using the pki-servlet-engine component, which embeds a vulnerable version of Tomcat. However, in these specific contexts, the prerequisites to the vulnerability are not met. The PersistentManager is not set, and a SecurityManager is used. The use of pki-servlet-engine outside of these contexts is not supported. As a result, the vulnerability can not be triggered in supported configurations of these products. A future update may update Tomcat in pki-servlet-engine.\n\nRed Hat Satellite do not ship Tomcat and rather use its configuration. The product is not affected because configuration does not make use of PersistanceManager or FileStore. Tomcat updates can be obtain from Red Hat Enterprise Linux (RHEL) RHSA.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Web Server 3.1"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9484"
},
{
"category": "external",
"summary": "RHBZ#1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9484",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9484"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484"
},
{
"category": "external",
"summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E",
"url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5",
"url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104",
"url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55",
"url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35",
"url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35"
}
],
"release_date": "2020-05-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-06-10T15:04:00+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
"product_ids": [
"Red Hat JBoss Web Server 3.1"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2487"
},
{
"category": "workaround",
"details": "Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized. For more details about the configuration, refer to the Apache Tomcat 9 Configuration Reference https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html.",
"product_ids": [
"Red Hat JBoss Web Server 3.1"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Web Server 3.1"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tomcat: deserialization flaw in session persistence storage leading to RCE"
}
]
}
RHSA-2020_2506
Vulnerability from csaf_redhat - Published: 2020-06-10 16:28 - Updated: 2024-11-15 09:34Summary
Red Hat Security Advisory: Red Hat JBoss Web Server 5.3.1 security update
Severity
Important
Notes
Topic: Updated Red Hat JBoss Web Server 5.3.1 packages are now available for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 5.3.1 serves as a replacement for Red Hat JBoss Web Server 5.3.0, and includes bug fixes, enhancements, and component upgrades, which are documented in the Release Notes, linked to in the References.
Security Fix(es):
* tomcat: Apache Tomcat Remote Code Execution via session persistence (CVE-2020-9484)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
7.0 (High)
Affected products
Fixed
44 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 6Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-5.3:jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-5.3:jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el6jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-5.3:jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-5.3:jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el6jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-5.3:jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el6jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-5.3:jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el6jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.i686 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-5.3:jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el6jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-5.3:jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-JWS-5.3:jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-5.3:jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-5.3:jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el7jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-5.3:jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-5.3:jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el7jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-5.3:jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el7jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-5.3:jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el7jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el7jws.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-5.3:jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el7jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-5.3:jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-JWS-5.3:jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-JWS-5.3:jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-JWS-5.3:jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el8jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-JWS-5.3:jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-JWS-5.3:jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el8jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-JWS-5.3:jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el8jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-JWS-5.3:jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el8jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el8jws.x86_64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-JWS-5.3:jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el8jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-JWS-5.3:jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 8Base-JWS-5.3:jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
13 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated Red Hat JBoss Web Server 5.3.1 packages are now available for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 5.3.1 serves as a replacement for Red Hat JBoss Web Server 5.3.0, and includes bug fixes, enhancements, and component upgrades, which are documented in the Release Notes, linked to in the References.\n\nSecurity Fix(es):\n\n* tomcat: Apache Tomcat Remote Code Execution via session persistence (CVE-2020-9484)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:2506",
"url": "https://access.redhat.com/errata/RHSA-2020:2506"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2506.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Web Server 5.3.1 security update",
"tracking": {
"current_release_date": "2024-11-15T09:34:25+00:00",
"generator": {
"date": "2024-11-15T09:34:25+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2020:2506",
"initial_release_date": "2020-06-10T16:28:38+00:00",
"revision_history": [
{
"date": "2020-06-10T16:28:38+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-06-10T16:28:38+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T09:34:25+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Web Server 5.3 for RHEL 7 Server",
"product": {
"name": "Red Hat JBoss Web Server 5.3 for RHEL 7 Server",
"product_id": "7Server-JWS-5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Web Server 5.3 for RHEL 6 Server",
"product": {
"name": "Red Hat JBoss Web Server 5.3 for RHEL 6 Server",
"product_id": "6Server-JWS-5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.3::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat JBoss Web Server 5.3 for RHEL 8",
"product": {
"name": "Red Hat JBoss Web Server 5.3 for RHEL 8",
"product_id": "8Base-JWS-5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.3::el8"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Web Server"
},
{
"branches": [
{
"category": "product_version",
"name": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_id": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat@9.0.30-4.redhat_5.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_id": "jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-admin-webapps@9.0.30-4.redhat_5.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_id": "jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-docs-webapp@9.0.30-4.redhat_5.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_id": "jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-el-3.0-api@9.0.30-4.redhat_5.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_id": "jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-javadoc@9.0.30-4.redhat_5.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_id": "jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-jsp-2.3-api@9.0.30-4.redhat_5.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_id": "jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-lib@9.0.30-4.redhat_5.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_id": "jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-selinux@9.0.30-4.redhat_5.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_id": "jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-servlet-4.0-api@9.0.30-4.redhat_5.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product": {
"name": "jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_id": "jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-webapps@9.0.30-4.redhat_5.1.el7jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product": {
"name": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_id": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat@9.0.30-4.redhat_5.1.el6jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product": {
"name": "jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_id": "jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-admin-webapps@9.0.30-4.redhat_5.1.el6jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product": {
"name": "jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_id": "jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-docs-webapp@9.0.30-4.redhat_5.1.el6jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product": {
"name": "jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_id": "jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-el-3.0-api@9.0.30-4.redhat_5.1.el6jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product": {
"name": "jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_id": "jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-javadoc@9.0.30-4.redhat_5.1.el6jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product": {
"name": "jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_id": "jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-jsp-2.3-api@9.0.30-4.redhat_5.1.el6jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product": {
"name": "jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_id": "jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-lib@9.0.30-4.redhat_5.1.el6jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product": {
"name": "jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_id": "jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-selinux@9.0.30-4.redhat_5.1.el6jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product": {
"name": "jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_id": "jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-servlet-4.0-api@9.0.30-4.redhat_5.1.el6jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product": {
"name": "jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_id": "jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-webapps@9.0.30-4.redhat_5.1.el6jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_id": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat@9.0.30-4.redhat_5.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_id": "jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-admin-webapps@9.0.30-4.redhat_5.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_id": "jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-docs-webapp@9.0.30-4.redhat_5.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_id": "jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-el-3.0-api@9.0.30-4.redhat_5.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_id": "jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-javadoc@9.0.30-4.redhat_5.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_id": "jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-jsp-2.3-api@9.0.30-4.redhat_5.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_id": "jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-lib@9.0.30-4.redhat_5.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_id": "jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-selinux@9.0.30-4.redhat_5.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_id": "jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-servlet-4.0-api@9.0.30-4.redhat_5.1.el8jws?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product": {
"name": "jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_id": "jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-webapps@9.0.30-4.redhat_5.1.el8jws?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.src",
"product": {
"name": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.src",
"product_id": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat@9.0.30-4.redhat_5.1.el7jws?arch=src"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.src",
"product": {
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.src",
"product_id": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-native@1.2.23-5.redhat_5.el7jws?arch=src"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.src",
"product": {
"name": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.src",
"product_id": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat@9.0.30-4.redhat_5.1.el6jws?arch=src"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.src",
"product": {
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.src",
"product_id": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-native@1.2.23-5.redhat_5.el6jws?arch=src"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.src",
"product": {
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.src",
"product_id": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-native@1.2.23-5.redhat_5.el8jws?arch=src"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.src",
"product": {
"name": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.src",
"product_id": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat@9.0.30-4.redhat_5.1.el8jws?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.x86_64",
"product": {
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.x86_64",
"product_id": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-native@1.2.23-5.redhat_5.el7jws?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el7jws.x86_64",
"product": {
"name": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el7jws.x86_64",
"product_id": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el7jws.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-native-debuginfo@1.2.23-5.redhat_5.el7jws?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.x86_64",
"product": {
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.x86_64",
"product_id": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-native@1.2.23-5.redhat_5.el6jws?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.x86_64",
"product": {
"name": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.x86_64",
"product_id": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-native-debuginfo@1.2.23-5.redhat_5.el6jws?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.x86_64",
"product": {
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.x86_64",
"product_id": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-native@1.2.23-5.redhat_5.el8jws?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el8jws.x86_64",
"product": {
"name": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el8jws.x86_64",
"product_id": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el8jws.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-native-debuginfo@1.2.23-5.redhat_5.el8jws?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.i686",
"product": {
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.i686",
"product_id": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-native@1.2.23-5.redhat_5.el6jws?arch=i686"
}
}
},
{
"category": "product_version",
"name": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.i686",
"product": {
"name": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.i686",
"product_id": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.i686",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/jws5-tomcat-native-debuginfo@1.2.23-5.redhat_5.el6jws?arch=i686"
}
}
}
],
"category": "architecture",
"name": "i686"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 6 Server",
"product_id": "6Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.noarch"
},
"product_reference": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"relates_to_product_reference": "6Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.src as a component of Red Hat JBoss Web Server 5.3 for RHEL 6 Server",
"product_id": "6Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.src"
},
"product_reference": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.src",
"relates_to_product_reference": "6Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 6 Server",
"product_id": "6Server-JWS-5.3:jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch"
},
"product_reference": "jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"relates_to_product_reference": "6Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el6jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 6 Server",
"product_id": "6Server-JWS-5.3:jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el6jws.noarch"
},
"product_reference": "jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"relates_to_product_reference": "6Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 6 Server",
"product_id": "6Server-JWS-5.3:jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch"
},
"product_reference": "jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"relates_to_product_reference": "6Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el6jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 6 Server",
"product_id": "6Server-JWS-5.3:jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el6jws.noarch"
},
"product_reference": "jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"relates_to_product_reference": "6Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el6jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 6 Server",
"product_id": "6Server-JWS-5.3:jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el6jws.noarch"
},
"product_reference": "jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"relates_to_product_reference": "6Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el6jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 6 Server",
"product_id": "6Server-JWS-5.3:jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el6jws.noarch"
},
"product_reference": "jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"relates_to_product_reference": "6Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.i686 as a component of Red Hat JBoss Web Server 5.3 for RHEL 6 Server",
"product_id": "6Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.i686"
},
"product_reference": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.i686",
"relates_to_product_reference": "6Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.src as a component of Red Hat JBoss Web Server 5.3 for RHEL 6 Server",
"product_id": "6Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.src"
},
"product_reference": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.src",
"relates_to_product_reference": "6Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.x86_64 as a component of Red Hat JBoss Web Server 5.3 for RHEL 6 Server",
"product_id": "6Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.x86_64"
},
"product_reference": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.x86_64",
"relates_to_product_reference": "6Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.i686 as a component of Red Hat JBoss Web Server 5.3 for RHEL 6 Server",
"product_id": "6Server-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.i686"
},
"product_reference": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.i686",
"relates_to_product_reference": "6Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.x86_64 as a component of Red Hat JBoss Web Server 5.3 for RHEL 6 Server",
"product_id": "6Server-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.x86_64"
},
"product_reference": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.x86_64",
"relates_to_product_reference": "6Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el6jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 6 Server",
"product_id": "6Server-JWS-5.3:jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el6jws.noarch"
},
"product_reference": "jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"relates_to_product_reference": "6Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 6 Server",
"product_id": "6Server-JWS-5.3:jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch"
},
"product_reference": "jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"relates_to_product_reference": "6Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 6 Server",
"product_id": "6Server-JWS-5.3:jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch"
},
"product_reference": "jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"relates_to_product_reference": "6Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 7 Server",
"product_id": "7Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.src as a component of Red Hat JBoss Web Server 5.3 for RHEL 7 Server",
"product_id": "7Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.src"
},
"product_reference": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.src",
"relates_to_product_reference": "7Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 7 Server",
"product_id": "7Server-JWS-5.3:jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 7 Server",
"product_id": "7Server-JWS-5.3:jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 7 Server",
"product_id": "7Server-JWS-5.3:jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 7 Server",
"product_id": "7Server-JWS-5.3:jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 7 Server",
"product_id": "7Server-JWS-5.3:jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 7 Server",
"product_id": "7Server-JWS-5.3:jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.src as a component of Red Hat JBoss Web Server 5.3 for RHEL 7 Server",
"product_id": "7Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.src"
},
"product_reference": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.src",
"relates_to_product_reference": "7Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.x86_64 as a component of Red Hat JBoss Web Server 5.3 for RHEL 7 Server",
"product_id": "7Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.x86_64"
},
"product_reference": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.x86_64",
"relates_to_product_reference": "7Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el7jws.x86_64 as a component of Red Hat JBoss Web Server 5.3 for RHEL 7 Server",
"product_id": "7Server-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el7jws.x86_64"
},
"product_reference": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el7jws.x86_64",
"relates_to_product_reference": "7Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 7 Server",
"product_id": "7Server-JWS-5.3:jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 7 Server",
"product_id": "7Server-JWS-5.3:jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 7 Server",
"product_id": "7Server-JWS-5.3:jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch"
},
"product_reference": "jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"relates_to_product_reference": "7Server-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 8",
"product_id": "8Base-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.src as a component of Red Hat JBoss Web Server 5.3 for RHEL 8",
"product_id": "8Base-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.src"
},
"product_reference": "jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.src",
"relates_to_product_reference": "8Base-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 8",
"product_id": "8Base-JWS-5.3:jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 8",
"product_id": "8Base-JWS-5.3:jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 8",
"product_id": "8Base-JWS-5.3:jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 8",
"product_id": "8Base-JWS-5.3:jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 8",
"product_id": "8Base-JWS-5.3:jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 8",
"product_id": "8Base-JWS-5.3:jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.src as a component of Red Hat JBoss Web Server 5.3 for RHEL 8",
"product_id": "8Base-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.src"
},
"product_reference": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.src",
"relates_to_product_reference": "8Base-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.x86_64 as a component of Red Hat JBoss Web Server 5.3 for RHEL 8",
"product_id": "8Base-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.x86_64"
},
"product_reference": "jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.x86_64",
"relates_to_product_reference": "8Base-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el8jws.x86_64 as a component of Red Hat JBoss Web Server 5.3 for RHEL 8",
"product_id": "8Base-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el8jws.x86_64"
},
"product_reference": "jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el8jws.x86_64",
"relates_to_product_reference": "8Base-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 8",
"product_id": "8Base-JWS-5.3:jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 8",
"product_id": "8Base-JWS-5.3:jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch as a component of Red Hat JBoss Web Server 5.3 for RHEL 8",
"product_id": "8Base-JWS-5.3:jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch"
},
"product_reference": "jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"relates_to_product_reference": "8Base-JWS-5.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-9484",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2020-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1838332"
}
],
"notes": [
{
"category": "description",
"text": "A deserialization flaw was discovered in Apache Tomcat\u0027s use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: deserialization flaw in session persistence storage leading to RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat Enterprise Linux 8, Red Hat Certificate System 10 and Identity Management are using the pki-servlet-engine component, which embeds a vulnerable version of Tomcat. However, in these specific contexts, the prerequisites to the vulnerability are not met. The PersistentManager is not set, and a SecurityManager is used. The use of pki-servlet-engine outside of these contexts is not supported. As a result, the vulnerability can not be triggered in supported configurations of these products. A future update may update Tomcat in pki-servlet-engine.\n\nRed Hat Satellite do not ship Tomcat and rather use its configuration. The product is not affected because configuration does not make use of PersistanceManager or FileStore. Tomcat updates can be obtain from Red Hat Enterprise Linux (RHEL) RHSA.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.src",
"6Server-JWS-5.3:jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.i686",
"6Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.src",
"6Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.x86_64",
"6Server-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.i686",
"6Server-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.x86_64",
"6Server-JWS-5.3:jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.src",
"7Server-JWS-5.3:jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.src",
"7Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.x86_64",
"7Server-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el7jws.x86_64",
"7Server-JWS-5.3:jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.src",
"8Base-JWS-5.3:jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.src",
"8Base-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.x86_64",
"8Base-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el8jws.x86_64",
"8Base-JWS-5.3:jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9484"
},
{
"category": "external",
"summary": "RHBZ#1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9484",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9484"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484"
},
{
"category": "external",
"summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E",
"url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5",
"url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104",
"url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55",
"url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35",
"url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35"
}
],
"release_date": "2020-05-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-06-10T16:28:38+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.src",
"6Server-JWS-5.3:jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.i686",
"6Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.src",
"6Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.x86_64",
"6Server-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.i686",
"6Server-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.x86_64",
"6Server-JWS-5.3:jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.src",
"7Server-JWS-5.3:jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.src",
"7Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.x86_64",
"7Server-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el7jws.x86_64",
"7Server-JWS-5.3:jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.src",
"8Base-JWS-5.3:jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.src",
"8Base-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.x86_64",
"8Base-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el8jws.x86_64",
"8Base-JWS-5.3:jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2506"
},
{
"category": "workaround",
"details": "Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized. For more details about the configuration, refer to the Apache Tomcat 9 Configuration Reference https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html.",
"product_ids": [
"6Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.src",
"6Server-JWS-5.3:jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.i686",
"6Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.src",
"6Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.x86_64",
"6Server-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.i686",
"6Server-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.x86_64",
"6Server-JWS-5.3:jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.src",
"7Server-JWS-5.3:jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.src",
"7Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.x86_64",
"7Server-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el7jws.x86_64",
"7Server-JWS-5.3:jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.src",
"8Base-JWS-5.3:jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.src",
"8Base-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.x86_64",
"8Base-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el8jws.x86_64",
"8Base-JWS-5.3:jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"6Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el6jws.src",
"6Server-JWS-5.3:jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.i686",
"6Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.src",
"6Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el6jws.x86_64",
"6Server-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.i686",
"6Server-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el6jws.x86_64",
"6Server-JWS-5.3:jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"6Server-JWS-5.3:jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el6jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el7jws.src",
"7Server-JWS-5.3:jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.src",
"7Server-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el7jws.x86_64",
"7Server-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el7jws.x86_64",
"7Server-JWS-5.3:jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"7Server-JWS-5.3:jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el7jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-0:9.0.30-4.redhat_5.1.el8jws.src",
"8Base-JWS-5.3:jws5-tomcat-admin-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-docs-webapp-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-el-3.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-javadoc-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-jsp-2.3-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-lib-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.src",
"8Base-JWS-5.3:jws5-tomcat-native-0:1.2.23-5.redhat_5.el8jws.x86_64",
"8Base-JWS-5.3:jws5-tomcat-native-debuginfo-0:1.2.23-5.redhat_5.el8jws.x86_64",
"8Base-JWS-5.3:jws5-tomcat-selinux-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-servlet-4.0-api-0:9.0.30-4.redhat_5.1.el8jws.noarch",
"8Base-JWS-5.3:jws5-tomcat-webapps-0:9.0.30-4.redhat_5.1.el8jws.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tomcat: deserialization flaw in session persistence storage leading to RCE"
}
]
}
RHSA-2020_2509
Vulnerability from csaf_redhat - Published: 2020-06-10 17:05 - Updated: 2024-11-15 09:34Summary
Red Hat Security Advisory: Red Hat JBoss Web Server 5.3.1 security update
Severity
Important
Notes
Topic: Updated Red Hat JBoss Web Server 5.3.1 packages are now available for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 and Windows.
Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 5.3.1 serves as a replacement for Red Hat JBoss Web Server 5.3.0, and includes bug fixes, enhancements, and component upgrades, which are documented in the Release Notes, linked to in the References.
Security Fix(es):
* tomcat: Apache Tomcat Remote Code Execution via session persistence (CVE-2020-9484)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
7.0 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat JBoss Web Server (JWS) 5.3
Red Hat / Red Hat JBoss Web Server
|
cpe:/a:redhat:jboss_enterprise_web_server:5.3
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
15 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated Red Hat JBoss Web Server 5.3.1 packages are now available for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8 and Windows.\n\nRed Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 5.3.1 serves as a replacement for Red Hat JBoss Web Server 5.3.0, and includes bug fixes, enhancements, and component upgrades, which are documented in the Release Notes, linked to in the References.\n\nSecurity Fix(es):\n\n* tomcat: Apache Tomcat Remote Code Execution via session persistence (CVE-2020-9484)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:2509",
"url": "https://access.redhat.com/errata/RHSA-2020:2509"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver\u0026downloadType=securityPatches\u0026version=5.3",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver\u0026downloadType=securityPatches\u0026version=5.3"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/5.3/",
"url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/5.3/"
},
{
"category": "external",
"summary": "1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2509.json"
}
],
"title": "Red Hat Security Advisory: Red Hat JBoss Web Server 5.3.1 security update",
"tracking": {
"current_release_date": "2024-11-15T09:34:33+00:00",
"generator": {
"date": "2024-11-15T09:34:33+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2020:2509",
"initial_release_date": "2020-06-10T17:05:40+00:00",
"revision_history": [
{
"date": "2020-06-10T17:05:40+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-06-10T17:05:40+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T09:34:33+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat JBoss Web Server (JWS) 5.3",
"product": {
"name": "Red Hat JBoss Web Server (JWS) 5.3",
"product_id": "Red Hat JBoss Web Server (JWS) 5.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:5.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat JBoss Web Server"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-9484",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2020-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1838332"
}
],
"notes": [
{
"category": "description",
"text": "A deserialization flaw was discovered in Apache Tomcat\u0027s use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: deserialization flaw in session persistence storage leading to RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat Enterprise Linux 8, Red Hat Certificate System 10 and Identity Management are using the pki-servlet-engine component, which embeds a vulnerable version of Tomcat. However, in these specific contexts, the prerequisites to the vulnerability are not met. The PersistentManager is not set, and a SecurityManager is used. The use of pki-servlet-engine outside of these contexts is not supported. As a result, the vulnerability can not be triggered in supported configurations of these products. A future update may update Tomcat in pki-servlet-engine.\n\nRed Hat Satellite do not ship Tomcat and rather use its configuration. The product is not affected because configuration does not make use of PersistanceManager or FileStore. Tomcat updates can be obtain from Red Hat Enterprise Linux (RHEL) RHSA.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat JBoss Web Server (JWS) 5.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9484"
},
{
"category": "external",
"summary": "RHBZ#1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9484",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9484"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484"
},
{
"category": "external",
"summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E",
"url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5",
"url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104",
"url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55",
"url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35",
"url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35"
}
],
"release_date": "2020-05-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-06-10T17:05:40+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link for the update. You must be logged in to download the update.",
"product_ids": [
"Red Hat JBoss Web Server (JWS) 5.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2509"
},
{
"category": "workaround",
"details": "Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized. For more details about the configuration, refer to the Apache Tomcat 9 Configuration Reference https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html.",
"product_ids": [
"Red Hat JBoss Web Server (JWS) 5.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat JBoss Web Server (JWS) 5.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tomcat: deserialization flaw in session persistence storage leading to RCE"
}
]
}
RHSA-2020_2529
Vulnerability from csaf_redhat - Published: 2020-06-11 11:36 - Updated: 2024-11-15 09:34Summary
Red Hat Security Advisory: tomcat6 security update
Severity
Important
Notes
Topic: An update for tomcat6 is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
* tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
7.0 (High)
Affected products
Fixed
60 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Client-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6ComputeNode-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Server-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 6Workstation-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
13 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for tomcat6 is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:2529",
"url": "https://access.redhat.com/errata/RHSA-2020:2529"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2529.json"
}
],
"title": "Red Hat Security Advisory: tomcat6 security update",
"tracking": {
"current_release_date": "2024-11-15T09:34:36+00:00",
"generator": {
"date": "2024-11-15T09:34:36+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2020:2529",
"initial_release_date": "2020-06-11T11:36:42+00:00",
"revision_history": [
{
"date": "2020-06-11T11:36:42+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-06-11T11:36:42+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T09:34:36+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Optional (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::workstation"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product": {
"name": "Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat6-0:6.0.24-115.el6_10.noarch",
"product": {
"name": "tomcat6-0:6.0.24-115.el6_10.noarch",
"product_id": "tomcat6-0:6.0.24-115.el6_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6@6.0.24-115.el6_10?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"product": {
"name": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"product_id": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6-admin-webapps@6.0.24-115.el6_10?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"product": {
"name": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"product_id": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6-docs-webapp@6.0.24-115.el6_10?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"product": {
"name": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"product_id": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6-el-2.1-api@6.0.24-115.el6_10?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"product": {
"name": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"product_id": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6-javadoc@6.0.24-115.el6_10?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"product": {
"name": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"product_id": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6-jsp-2.1-api@6.0.24-115.el6_10?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"product": {
"name": "tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"product_id": "tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6-lib@6.0.24-115.el6_10?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"product": {
"name": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"product_id": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6-servlet-2.5-api@6.0.24-115.el6_10?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"product": {
"name": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"product_id": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6-webapps@6.0.24-115.el6_10?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat6-0:6.0.24-115.el6_10.src",
"product": {
"name": "tomcat6-0:6.0.24-115.el6_10.src",
"product_id": "tomcat6-0:6.0.24-115.el6_10.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat6@6.0.24-115.el6_10?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.src as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.src",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-lib-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Desktop Optional (v. 6)",
"product_id": "6Client-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Client-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.src as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.src",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-lib-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux HPC Node Optional (v. 6)",
"product_id": "6ComputeNode-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6ComputeNode-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.src as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.src"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.src",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-lib-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.src as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.src",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-lib-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)",
"product_id": "6Server-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Server-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.src as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.src"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.src",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-lib-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-0:6.0.24-115.el6_10.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src"
},
"product_reference": "tomcat6-0:6.0.24-115.el6_10.src",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-lib-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 6)",
"product_id": "6Workstation-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
},
"product_reference": "tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"relates_to_product_reference": "6Workstation-optional-6.10.z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-9484",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2020-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1838332"
}
],
"notes": [
{
"category": "description",
"text": "A deserialization flaw was discovered in Apache Tomcat\u0027s use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: deserialization flaw in session persistence storage leading to RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat Enterprise Linux 8, Red Hat Certificate System 10 and Identity Management are using the pki-servlet-engine component, which embeds a vulnerable version of Tomcat. However, in these specific contexts, the prerequisites to the vulnerability are not met. The PersistentManager is not set, and a SecurityManager is used. The use of pki-servlet-engine outside of these contexts is not supported. As a result, the vulnerability can not be triggered in supported configurations of these products. A future update may update Tomcat in pki-servlet-engine.\n\nRed Hat Satellite do not ship Tomcat and rather use its configuration. The product is not affected because configuration does not make use of PersistanceManager or FileStore. Tomcat updates can be obtain from Red Hat Enterprise Linux (RHEL) RHSA.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Client-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6ComputeNode-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Server-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Server-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Workstation-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Workstation-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9484"
},
{
"category": "external",
"summary": "RHBZ#1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9484",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9484"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484"
},
{
"category": "external",
"summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E",
"url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5",
"url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104",
"url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55",
"url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35",
"url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35"
}
],
"release_date": "2020-05-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-06-11T11:36:42+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Client-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6ComputeNode-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Server-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Server-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Workstation-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Workstation-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2529"
},
{
"category": "workaround",
"details": "Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized. For more details about the configuration, refer to the Apache Tomcat 9 Configuration Reference https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html.",
"product_ids": [
"6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Client-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6ComputeNode-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Server-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Server-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Workstation-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Workstation-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Client-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Client-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6ComputeNode-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6ComputeNode-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Server-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Server-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Server-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Server-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Workstation-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-0:6.0.24-115.el6_10.src",
"6Workstation-optional-6.10.z:tomcat6-admin-webapps-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-docs-webapp-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-el-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-javadoc-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-jsp-2.1-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-lib-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-servlet-2.5-api-0:6.0.24-115.el6_10.noarch",
"6Workstation-optional-6.10.z:tomcat6-webapps-0:6.0.24-115.el6_10.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tomcat: deserialization flaw in session persistence storage leading to RCE"
}
]
}
RHSA-2020_2530
Vulnerability from csaf_redhat - Published: 2020-06-11 14:04 - Updated: 2024-11-15 09:34Summary
Red Hat Security Advisory: tomcat security update
Severity
Important
Notes
Topic: An update for tomcat is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
* tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
7.0 (High)
Affected products
Fixed
88 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Client-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7ComputeNode-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Server-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 7Workstation-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
13 references
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for tomcat is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:2530",
"url": "https://access.redhat.com/errata/RHSA-2020:2530"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_2530.json"
}
],
"title": "Red Hat Security Advisory: tomcat security update",
"tracking": {
"current_release_date": "2024-11-15T09:34:43+00:00",
"generator": {
"date": "2024-11-15T09:34:43+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2020:2530",
"initial_release_date": "2020-06-11T14:04:22+00:00",
"revision_history": [
{
"date": "2020-06-11T14:04:22+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-06-11T14:04:22+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T09:34:43+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::client"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ComputeNode (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::computenode"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::server"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
},
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product": {
"name": "Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7::workstation"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat@7.0.76-12.el7_8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-admin-webapps@7.0.76-12.el7_8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-el-2.2-api@7.0.76-12.el7_8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-jsp-2.2-api@7.0.76-12.el7_8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-lib@7.0.76-12.el7_8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-servlet-3.0-api@7.0.76-12.el7_8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-webapps@7.0.76-12.el7_8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-docs-webapp@7.0.76-12.el7_8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-javadoc@7.0.76-12.el7_8?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"product": {
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"product_id": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat-jsvc@7.0.76-12.el7_8?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "tomcat-0:7.0.76-12.el7_8.src",
"product": {
"name": "tomcat-0:7.0.76-12.el7_8.src",
"product_id": "tomcat-0:7.0.76-12.el7_8.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/tomcat@7.0.76-12.el7_8?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.src as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.src"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.src",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client (v. 7)",
"product_id": "7Client-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.src",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)",
"product_id": "7Client-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Client-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.src as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.src"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.src",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)",
"product_id": "7ComputeNode-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.src",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)",
"product_id": "7ComputeNode-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7ComputeNode-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.src as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.src"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.src",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.src",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)",
"product_id": "7Server-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Server-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.src as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.src"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.src",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-0:7.0.76-12.el7_8.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src"
},
"product_reference": "tomcat-0:7.0.76-12.el7_8.src",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-lib-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-lib-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "tomcat-webapps-0:7.0.76-12.el7_8.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)",
"product_id": "7Workstation-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
},
"product_reference": "tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"relates_to_product_reference": "7Workstation-optional-7.8.Z"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2020-9484",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2020-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1838332"
}
],
"notes": [
{
"category": "description",
"text": "A deserialization flaw was discovered in Apache Tomcat\u0027s use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: deserialization flaw in session persistence storage leading to RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat Enterprise Linux 8, Red Hat Certificate System 10 and Identity Management are using the pki-servlet-engine component, which embeds a vulnerable version of Tomcat. However, in these specific contexts, the prerequisites to the vulnerability are not met. The PersistentManager is not set, and a SecurityManager is used. The use of pki-servlet-engine outside of these contexts is not supported. As a result, the vulnerability can not be triggered in supported configurations of these products. A future update may update Tomcat in pki-servlet-engine.\n\nRed Hat Satellite do not ship Tomcat and rather use its configuration. The product is not affected because configuration does not make use of PersistanceManager or FileStore. Tomcat updates can be obtain from Red Hat Enterprise Linux (RHEL) RHSA.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Client-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Client-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7ComputeNode-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7ComputeNode-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Server-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Server-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Workstation-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Workstation-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9484"
},
{
"category": "external",
"summary": "RHBZ#1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9484",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9484"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484"
},
{
"category": "external",
"summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E",
"url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5",
"url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104",
"url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55",
"url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35",
"url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35"
}
],
"release_date": "2020-05-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-06-11T14:04:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Client-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Client-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7ComputeNode-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7ComputeNode-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Server-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Server-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Workstation-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Workstation-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:2530"
},
{
"category": "workaround",
"details": "Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized. For more details about the configuration, refer to the Apache Tomcat 9 Configuration Reference https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html.",
"product_ids": [
"7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Client-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Client-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7ComputeNode-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7ComputeNode-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Server-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Server-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Workstation-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Workstation-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Client-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Client-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Client-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Client-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7ComputeNode-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7ComputeNode-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7ComputeNode-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Server-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Server-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Server-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Server-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Workstation-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-0:7.0.76-12.el7_8.src",
"7Workstation-optional-7.8.Z:tomcat-admin-webapps-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-docs-webapp-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-el-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-javadoc-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-jsp-2.2-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-jsvc-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-lib-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-servlet-3.0-api-0:7.0.76-12.el7_8.noarch",
"7Workstation-optional-7.8.Z:tomcat-webapps-0:7.0.76-12.el7_8.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tomcat: deserialization flaw in session persistence storage leading to RCE"
}
]
}
RHSA-2020_3017
Vulnerability from csaf_redhat - Published: 2020-07-27 13:08 - Updated: 2024-11-15 09:36Summary
Red Hat Security Advisory: Red Hat support for Spring Boot 2.1.15 security and bug fix update
Severity
Important
Notes
Topic: An update is now available for Red Hat support for Spring Boot.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details: Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform.
This release of Red Hat support for Spring Boot 2.1.15 serves as a replacement for Red Hat support for Spring Boot 2.1.13, and includes security and bug fixes and enhancements. For further information, refer to the release notes linked to in the References section.
Security Fix(es):
* keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714)
* tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Runtimes Spring Boot 2.1.15
Red Hat / Red Hat OpenShift Application Runtimes
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
7.0 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat Runtimes Spring Boot 2.1.15
Red Hat / Red Hat OpenShift Application Runtimes
|
cpe:/a:redhat:openshift_application_runtimes:1.0
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
20 references
Acknowledgments
Thomas Darimont
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for Red Hat support for Spring Boot.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform.\n\nThis release of Red Hat support for Spring Boot 2.1.15 serves as a replacement for Red Hat support for Spring Boot 2.1.13, and includes security and bug fixes and enhancements. For further information, refer to the release notes linked to in the References section.\n\nSecurity Fix(es):\n\n* keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714)\n\n* tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2020:3017",
"url": "https://access.redhat.com/errata/RHSA-2020:3017"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=catRhoar.spring.boot\u0026version=2.1.15",
"url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions\u0026product=catRhoar.spring.boot\u0026version=2.1.15"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.1/html-single/release_notes_for_spring_boot_2.1/index",
"url": "https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.1/html-single/release_notes_for_spring_boot_2.1/index"
},
{
"category": "external",
"summary": "1705975",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1705975"
},
{
"category": "external",
"summary": "1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_3017.json"
}
],
"title": "Red Hat Security Advisory: Red Hat support for Spring Boot 2.1.15 security and bug fix update",
"tracking": {
"current_release_date": "2024-11-15T09:36:00+00:00",
"generator": {
"date": "2024-11-15T09:36:00+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2020:3017",
"initial_release_date": "2020-07-27T13:08:48+00:00",
"revision_history": [
{
"date": "2020-07-27T13:08:48+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2020-07-27T13:08:48+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T09:36:00+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Runtimes Spring Boot 2.1.15",
"product": {
"name": "Red Hat Runtimes Spring Boot 2.1.15",
"product_id": "Red Hat Runtimes Spring Boot 2.1.15",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenShift Application Runtimes"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Thomas Darimont"
]
}
],
"cve": "CVE-2020-1714",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"discovery_date": "2019-04-29T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1705975"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially lead to remote code execution.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Runtimes Spring Boot 2.1.15"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-1714"
},
{
"category": "external",
"summary": "RHBZ#1705975",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1705975"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-1714",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-1714"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-1714",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-1714"
}
],
"release_date": "2020-05-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-27T13:08:48+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Runtimes Spring Boot 2.1.15"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3017"
},
{
"category": "workaround",
"details": "There is currently no known mitigation for this issue.",
"product_ids": [
"Red Hat Runtimes Spring Boot 2.1.15"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"Red Hat Runtimes Spring Boot 2.1.15"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution"
},
{
"cve": "CVE-2020-9484",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"discovery_date": "2020-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1838332"
}
],
"notes": [
{
"category": "description",
"text": "A deserialization flaw was discovered in Apache Tomcat\u0027s use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "tomcat: deserialization flaw in session persistence storage leading to RCE",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "In Red Hat Enterprise Linux 8, Red Hat Certificate System 10 and Identity Management are using the pki-servlet-engine component, which embeds a vulnerable version of Tomcat. However, in these specific contexts, the prerequisites to the vulnerability are not met. The PersistentManager is not set, and a SecurityManager is used. The use of pki-servlet-engine outside of these contexts is not supported. As a result, the vulnerability can not be triggered in supported configurations of these products. A future update may update Tomcat in pki-servlet-engine.\n\nRed Hat Satellite do not ship Tomcat and rather use its configuration. The product is not affected because configuration does not make use of PersistanceManager or FileStore. Tomcat updates can be obtain from Red Hat Enterprise Linux (RHEL) RHSA.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Runtimes Spring Boot 2.1.15"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2020-9484"
},
{
"category": "external",
"summary": "RHBZ#1838332",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1838332"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2020-9484",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9484"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9484"
},
{
"category": "external",
"summary": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E",
"url": "http://mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5",
"url": "http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104",
"url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55",
"url": "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55"
},
{
"category": "external",
"summary": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35",
"url": "http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35"
}
],
"release_date": "2020-05-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2020-07-27T13:08:48+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.\n\nThe References section of this erratum contains a download link (you must log in to download the update).",
"product_ids": [
"Red Hat Runtimes Spring Boot 2.1.15"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2020:3017"
},
{
"category": "workaround",
"details": "Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized. For more details about the configuration, refer to the Apache Tomcat 9 Configuration Reference https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html.",
"product_ids": [
"Red Hat Runtimes Spring Boot 2.1.15"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Runtimes Spring Boot 2.1.15"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "tomcat: deserialization flaw in session persistence storage leading to RCE"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…