var-202005-1052
Vulnerability from variot
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. The program implements support for Servlet and JavaServer Page (JSP). The following products and versions are affected: Apache Tomcat 10.0.0-M1 to 10.0.0-M4, 9.0.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54, 7.0.0 to Version 7.0.103. A deserialization flaw exists in Apache Tomcat's use of a FileStore. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-9484) The fix for CVE-2020-9484 was incomplete. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. (CVE-2021-25329). Solution:
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
The References section of this erratum contains a download link for the update. You must be logged in to download the update. Description:
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 3.1 Service Pack 9 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied. Description:
Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. (CVE-2020-13935)
It was discovered that Tomcat incorrectly handled HTTP header parsing. In certain environments where Tomcat is located behind a reverse proxy, a remote attacker could possibly use this issue to perform HTTP Reqest Smuggling. (CVE-2020-1935)
It was discovered that Tomcat incorrectly handled certain uncommon PersistenceManager with FileStore configurations. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Important: tomcat security update Advisory ID: RHSA-2020:2530-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:2530 Issue date: 2020-06-11 CVE Names: CVE-2020-9484 ==================================================================== 1. Summary:
An update for tomcat is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - noarch Red Hat Enterprise Linux Client Optional (v. 7) - noarch Red Hat Enterprise Linux ComputeNode (v. 7) - noarch Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Enterprise Linux Server Optional (v. 7) - noarch Red Hat Enterprise Linux Workstation (v. 7) - noarch Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch
- Description:
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
- tomcat: deserialization flaw in session persistence storage leading to RCE (CVE-2020-9484)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE
- Package List:
Red Hat Enterprise Linux Client (v. 7):
Source: tomcat-7.0.76-12.el7_8.src.rpm
noarch: tomcat-servlet-3.0-api-7.0.76-12.el7_8.noarch.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch: tomcat-7.0.76-12.el7_8.noarch.rpm tomcat-admin-webapps-7.0.76-12.el7_8.noarch.rpm tomcat-docs-webapp-7.0.76-12.el7_8.noarch.rpm tomcat-el-2.2-api-7.0.76-12.el7_8.noarch.rpm tomcat-javadoc-7.0.76-12.el7_8.noarch.rpm tomcat-jsp-2.2-api-7.0.76-12.el7_8.noarch.rpm tomcat-jsvc-7.0.76-12.el7_8.noarch.rpm tomcat-lib-7.0.76-12.el7_8.noarch.rpm tomcat-webapps-7.0.76-12.el7_8.noarch.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source: tomcat-7.0.76-12.el7_8.src.rpm
noarch: tomcat-servlet-3.0-api-7.0.76-12.el7_8.noarch.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch: tomcat-7.0.76-12.el7_8.noarch.rpm tomcat-admin-webapps-7.0.76-12.el7_8.noarch.rpm tomcat-docs-webapp-7.0.76-12.el7_8.noarch.rpm tomcat-el-2.2-api-7.0.76-12.el7_8.noarch.rpm tomcat-javadoc-7.0.76-12.el7_8.noarch.rpm tomcat-jsp-2.2-api-7.0.76-12.el7_8.noarch.rpm tomcat-jsvc-7.0.76-12.el7_8.noarch.rpm tomcat-lib-7.0.76-12.el7_8.noarch.rpm tomcat-webapps-7.0.76-12.el7_8.noarch.rpm
Red Hat Enterprise Linux Server (v. 7):
Source: tomcat-7.0.76-12.el7_8.src.rpm
noarch: tomcat-7.0.76-12.el7_8.noarch.rpm tomcat-admin-webapps-7.0.76-12.el7_8.noarch.rpm tomcat-el-2.2-api-7.0.76-12.el7_8.noarch.rpm tomcat-jsp-2.2-api-7.0.76-12.el7_8.noarch.rpm tomcat-lib-7.0.76-12.el7_8.noarch.rpm tomcat-servlet-3.0-api-7.0.76-12.el7_8.noarch.rpm tomcat-webapps-7.0.76-12.el7_8.noarch.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
noarch: tomcat-7.0.76-12.el7_8.noarch.rpm tomcat-admin-webapps-7.0.76-12.el7_8.noarch.rpm tomcat-docs-webapp-7.0.76-12.el7_8.noarch.rpm tomcat-el-2.2-api-7.0.76-12.el7_8.noarch.rpm tomcat-javadoc-7.0.76-12.el7_8.noarch.rpm tomcat-jsp-2.2-api-7.0.76-12.el7_8.noarch.rpm tomcat-jsvc-7.0.76-12.el7_8.noarch.rpm tomcat-lib-7.0.76-12.el7_8.noarch.rpm tomcat-webapps-7.0.76-12.el7_8.noarch.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: tomcat-7.0.76-12.el7_8.src.rpm
noarch: tomcat-7.0.76-12.el7_8.noarch.rpm tomcat-admin-webapps-7.0.76-12.el7_8.noarch.rpm tomcat-el-2.2-api-7.0.76-12.el7_8.noarch.rpm tomcat-jsp-2.2-api-7.0.76-12.el7_8.noarch.rpm tomcat-lib-7.0.76-12.el7_8.noarch.rpm tomcat-servlet-3.0-api-7.0.76-12.el7_8.noarch.rpm tomcat-webapps-7.0.76-12.el7_8.noarch.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch: tomcat-docs-webapp-7.0.76-12.el7_8.noarch.rpm tomcat-javadoc-7.0.76-12.el7_8.noarch.rpm tomcat-jsvc-7.0.76-12.el7_8.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2020-9484 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBXuH9rtzjgjWX9erEAQiuZA/7BY8EEQxcPpMTuZ1szv08nHLdHOShDyEr UqhsbGTHUgsqb+cIwbOJrz3nn66y4S/5MIDyUUI/77t5/z/LR8rD7zM+6mPcQyVy QjSTPH8xiVNq4CyMCJggmsb+jecS5BHRDEhHKjEyuqWCx9wJlQQTTFMvlUBypXLt AxJqARUjSFmgxSdjbZDhDIzpNH5RR0lyKCuHf9yd+X9FNomFEAFIjLz6oSXDiMYp Lf4YPas24BmF7CXTajzecKM2PZZEehtNVFFQLi96APXLQq8uZBw+8d4gTSq7SEsy U6MZm3R+1Lp9BgGgxD80dRDoAIFL1KNRKJnRUPan+SSKYLPkU2dOwdPVd2t4OxY1 whBcfo8z6zsGTHIxXu7756/AUYhBkvrI2CVOp1tzM+SMDlLkJL9eBuTbXw98ipI0 jAUKlqxksz///7ZCWugsLt9VhDZRSXUSk7JQ4ASQ9bQFouzsUiEv0MSTRW+ym9HU 8/FjgG/yznR3DrHOjKVY++Dw2LUg2lv/viBVjCl2h9lZoULK3eBwIUJ0fOYCRUOK mytOuin4i+pI+jHCm/W91sK+piAB5yirVpqra98zXaDGayN+V6mdTr3omPsNDMP5 VtOWpWiInHKmeN1cErONkxeAT/zHdFagRXEhqbnArSoZIC/SV4KrykDGHw+ldO/o yI/DufEuzcM\xbfNT -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================== Ubuntu Security Notice USN-4596-1 October 21, 2020
tomcat9 vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Tomcat. An attacker could possibly use this to cause Tomcat to consume resources, resulting in a denial of service. (CVE-2020-11996)
It was discovered that Tomcat did not properly release the HTTP/1.1 processor after the upgrade to HTTP/2. An attacker could possibly use this to generate an OutOfMemoryException, resulting in a denial of service. (CVE-2020-13934)
It was discovered that Tomcat did not properly validate the payload length in a WebSocket frame. An attacker could possibly use this to trigger an infinite loop, resulting in a denial of service. (CVE-2020-13935)
It was discovered that Tomcat did not properly deserialize untrusted data. An attacker could possibly use this issue to execute arbitrary code. (CVE-2020-9484)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 20.04 LTS: libtomcat9-embed-java 9.0.31-1ubuntu0.1 libtomcat9-java 9.0.31-1ubuntu0.1 tomcat9 9.0.31-1ubuntu0.1 tomcat9-common 9.0.31-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
For the stable distribution (buster), these problems have been fixed in version 9.0.31-1~deb10u2.
We recommend that you upgrade your tomcat9 packages.
For the detailed security status of tomcat9 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat9
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl8R6BwACgkQEMKTtsN8 TjbUrw//fOLw1bfjQwHr4fug5xgGtIjccQvMgZ6r4jVWDNUWGns/n0HBIg7IFANW 1LTBXunNygapGke96Cexs/mimcs47wr9Xj6B9R7935NgF7dbXiDPhX99fmMSu4qE mpt9GmynGSOqr2qt+bHMZSIrZ2rpT/WoDbmnVvK0h30Il7VZ2pMEbzq7gd7sfsbO 0FbQr9kza5d5kvih7DLfq/7plhLouyUhzAab3UUJvI1B3ASD4pfEFDSmBJusHJGG 2CTtrO8IFUyYW0ev4/I2KT6rrFiXccEtFhUlpU09SLpy96FP161UVoHILkPHhfqI 9XILKEf0mKVlDfq5q2TOY5WVl8palc5o/Z3xefO4/wZc7/qNNnyzwcNHl6s14czv REID8Llfbro3/XWHkwLXPNFr1VzYXZSX1XhTwKWPWaH+L5WsUSr5uryqIUvSQ96L tTWv3G7KZDwVlio1XJ1t7ZxMkKqEBjvucShFgaOIw1nVD1IrssMKMz9UJQCd4fH5 RtUakyBzUuPbAhUcunMj23n2slZ9WbCANIGKy56O6R71rYI9mYOG2nF2IuUct/F2 iG3/SLJCe2ghVx2Lgz8/nBhZfPEF5FZ2kPHb9KpjjyZ+vl8ZXH83heaYDlDAknXS bTsyFezxJiAwaa9xozjItZPdIBFP9lG8Txmv1AotH7WV/8dRsOU= =E8Ei -----END PGP SIGNATURE-----
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202005-1052", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "workload manager", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "12.2.0.1" }, { "model": "fmw platform", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "12.2.1.4.0" }, { "model": "leap", "scope": "eq", "trust": 1.0, "vendor": "opensuse", "version": "15.1" }, { "model": "linux", "scope": "eq", "trust": 1.0, "vendor": "debian", "version": "10.0" }, { "model": "agile plm", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "9.3.3" }, { "model": "communications instant messaging server", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "10.0.1.4.0" }, { "model": "fedora", "scope": "eq", "trust": 1.0, "vendor": "fedoraproject", "version": "32" }, { "model": "ubuntu linux", "scope": "eq", "trust": 1.0, "vendor": "canonical", "version": "20.04" }, { "model": "managed file transfer", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "12.2.1.3.0" }, { "model": "workload manager", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "19c" }, { "model": "epolicy orchestrator", "scope": "eq", "trust": 1.0, "vendor": "mcafee", "version": "5.9.0" }, { "model": "workload manager", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "18c" }, { "model": "tomcat", "scope": "lt", "trust": 1.0, "vendor": "apache", "version": "9.0.43" }, { "model": "database", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "21c" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "10.0.0" }, { "model": "fmw platform", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "12.2.1.3.0" }, { "model": "mysql enterprise monitor", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "8.0.21" }, { "model": "siebel ui framework", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "20.12" }, { "model": "tomcat", "scope": "lt", "trust": 1.0, "vendor": "apache", "version": "7.0.108" }, { "model": "communications diameter signaling router", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "8.0.0.0" }, { "model": "communications element manager", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "8.2.2" }, { "model": "tomcat", "scope": "gte", "trust": 1.0, "vendor": "apache", "version": "7.0.0" }, { "model": "communications cloud native core policy", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "1.14.0" }, { "model": "database", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "12.2.0.1" }, { "model": "agile plm", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "9.3.6" }, { "model": "tomcat", "scope": "eq", "trust": 1.0, "vendor": "apache", "version": "9.0.0" }, { "model": "communications cloud native core binding support function", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "1.10.0" }, { "model": "siebel apps - marketing", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "21.9" }, { "model": "linux", "scope": "eq", "trust": 1.0, "vendor": "debian", "version": "9.0" }, { "model": "communications session report manager", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "8.2.2" }, { "model": "epolicy orchestrator", "scope": "eq", "trust": 1.0, "vendor": "mcafee", "version": "5.9.1" }, { "model": "linux", "scope": "eq", "trust": 1.0, "vendor": "debian", "version": "8.0" }, { "model": "agile engineering data management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "6.2.1.0" }, { "model": "tomcat", "scope": "lt", "trust": 1.0, "vendor": "apache", "version": "8.5.63" }, { "model": "ubuntu linux", "scope": "eq", "trust": 1.0, "vendor": "canonical", "version": "16.04" }, { "model": "epolicy orchestrator", "scope": "eq", "trust": 1.0, "vendor": "mcafee", "version": "5.10.0" }, { "model": "communications session route manager", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "8.2.2" }, { "model": "instantis enterprisetrack", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "17.1" }, { "model": "fedora", "scope": "eq", "trust": 1.0, "vendor": "fedoraproject", "version": "31" }, { "model": "database", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "19c" }, { "model": "transportation management", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "6.3.7" }, { "model": "agile plm", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "9.3.5" }, { "model": "tomcat", "scope": "gte", "trust": 1.0, "vendor": "apache", "version": "9.0.1" }, { "model": "managed file transfer", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "12.2.1.4.0" }, { "model": "communications element manager", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "8.2.0" }, { "model": "communications diameter signaling router", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "8.4.0.5" }, { "model": "hospitality guest access", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "4.2.1" }, { "model": "communications session report manager", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "8.2.0" }, { "model": "retail order broker", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "15.0" }, { "model": "communications session route manager", "scope": "gte", "trust": 1.0, "vendor": "oracle", "version": "8.2.0" }, { "model": "hospitality guest access", "scope": "eq", "trust": 1.0, "vendor": "oracle", "version": "4.2.0" }, { "model": "instantis enterprisetrack", "scope": "lte", "trust": 1.0, "vendor": "oracle", "version": "17.3" }, { "model": "tomcat", "scope": "gte", "trust": 1.0, "vendor": "apache", "version": "8.5.0" } ], "sources": [ { "db": "NVD", "id": "CVE-2020-9484" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "7.0.108", "versionStartIncluding": "7.0.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "8.5.63", "versionStartIncluding": "8.5.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "9.0.43", "versionStartIncluding": "9.0.1", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:oracle:transportation_management:6.3.7:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:database:12.2.0.1:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "17.3", "versionStartIncluding": "17.1", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:database:19c:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "8.4.0.5", "versionStartIncluding": "8.0.0.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "20.12", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "8.2.2", "versionStartIncluding": "8.2.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "8.2.2", "versionStartIncluding": "8.2.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "8.2.2", "versionStartIncluding": "8.2.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "8.0.21", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:database:21c:*:*:*:enterprise:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:siebel_apps_-_marketing:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "21.9", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:fmw_platform:12.2.1.4.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:fmw_platform:12.2.1.3.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.9.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.9.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:update_3:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:mcafee:epolicy_orchestrator:5.10.0:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2020-9484" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Red Hat", "sources": [ { "db": "PACKETSTORM", "id": "158030" }, { "db": "PACKETSTORM", "id": "158029" }, { "db": "PACKETSTORM", "id": "158050" }, { "db": "PACKETSTORM", "id": "158621" }, { "db": "PACKETSTORM", "id": "158049" }, { "db": "PACKETSTORM", "id": "158034" } ], "trust": 0.6 }, "cve": "CVE-2020-9484", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "author": "NVD", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 3.4, "impactScore": 6.4, "integrityImpact": "PARTIAL", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0" }, { "accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "author": "VULHUB", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 3.4, "id": "VHN-187609", "impactScore": 6.4, "integrityImpact": "PARTIAL", "severity": "MEDIUM", "trust": 0.1, "vectorString": "AV:L/AC:M/AU:N/C:P/I:P/A:P", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "author": "VULMON", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 3.4, "id": "CVE-2020-9484", "impactScore": 6.4, "integrityImpact": "PARTIAL", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "MEDIUM", "trust": 0.1, "userInteractionRequired": null, "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "HIGH", "attackVector": "LOCAL", "author": "NVD", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 1.0, "impactScore": 5.9, "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" } ], "severity": [ { "author": "NVD", "id": "CVE-2020-9484", "trust": 1.0, "value": "HIGH" }, { "author": "VULHUB", "id": "VHN-187609", "trust": 0.1, "value": "MEDIUM" }, { "author": "VULMON", "id": "CVE-2020-9484", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "VULHUB", "id": "VHN-187609" }, { "db": "VULMON", "id": "CVE-2020-9484" }, { "db": "NVD", "id": "CVE-2020-9484" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=\"null\" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. The program implements support for Servlet and JavaServer Page (JSP). The following products and versions are affected: Apache Tomcat 10.0.0-M1 to 10.0.0-M4, 9.0.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54, 7.0.0 to Version 7.0.103. A deserialization flaw exists in Apache Tomcat\u0027s use of a FileStore. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-9484)\nThe fix for CVE-2020-9484 was incomplete. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. (CVE-2021-25329). Solution:\n\nBefore applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on. \n\nThe References section of this erratum contains a download link for the\nupdate. You must be logged in to download the update. Description:\n\nRed Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the Apache\nHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector\n(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat\nNative library. \n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 9 serves as a\nreplacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which\nare documented in the Release Notes document linked to in the References. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. Description:\n\nRed Hat support for Spring Boot provides an application platform that\nreduces the complexity of developing and operating applications (monoliths\nand microservices) for OpenShift as a containerized platform. (CVE-2020-13935)\n\nIt was discovered that Tomcat incorrectly handled HTTP header parsing. In\ncertain environments where Tomcat is located behind a reverse proxy, a\nremote attacker could possibly use this issue to perform HTTP Reqest\nSmuggling. (CVE-2020-1935)\n\nIt was discovered that Tomcat incorrectly handled certain uncommon\nPersistenceManager with FileStore configurations. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Important: tomcat security update\nAdvisory ID: RHSA-2020:2530-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2020:2530\nIssue date: 2020-06-11\nCVE Names: CVE-2020-9484\n====================================================================\n1. Summary:\n\nAn update for tomcat is now available for Red Hat Enterprise Linux 7. \n\nRed Hat Product Security has rated this update as having a security impact\nof Important. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available for each vulnerability\nfrom the CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux Client (v. 7) - noarch\nRed Hat Enterprise Linux Client Optional (v. 7) - noarch\nRed Hat Enterprise Linux ComputeNode (v. 7) - noarch\nRed Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch\nRed Hat Enterprise Linux Server (v. 7) - noarch\nRed Hat Enterprise Linux Server Optional (v. 7) - noarch\nRed Hat Enterprise Linux Workstation (v. 7) - noarch\nRed Hat Enterprise Linux Workstation Optional (v. 7) - noarch\n\n3. Description:\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies. \n\nSecurity Fix(es):\n\n* tomcat: deserialization flaw in session persistence storage leading to\nRCE (CVE-2020-9484)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1838332 - CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE\n\n6. Package List:\n\nRed Hat Enterprise Linux Client (v. 7):\n\nSource:\ntomcat-7.0.76-12.el7_8.src.rpm\n\nnoarch:\ntomcat-servlet-3.0-api-7.0.76-12.el7_8.noarch.rpm\n\nRed Hat Enterprise Linux Client Optional (v. 7):\n\nnoarch:\ntomcat-7.0.76-12.el7_8.noarch.rpm\ntomcat-admin-webapps-7.0.76-12.el7_8.noarch.rpm\ntomcat-docs-webapp-7.0.76-12.el7_8.noarch.rpm\ntomcat-el-2.2-api-7.0.76-12.el7_8.noarch.rpm\ntomcat-javadoc-7.0.76-12.el7_8.noarch.rpm\ntomcat-jsp-2.2-api-7.0.76-12.el7_8.noarch.rpm\ntomcat-jsvc-7.0.76-12.el7_8.noarch.rpm\ntomcat-lib-7.0.76-12.el7_8.noarch.rpm\ntomcat-webapps-7.0.76-12.el7_8.noarch.rpm\n\nRed Hat Enterprise Linux ComputeNode (v. 7):\n\nSource:\ntomcat-7.0.76-12.el7_8.src.rpm\n\nnoarch:\ntomcat-servlet-3.0-api-7.0.76-12.el7_8.noarch.rpm\n\nRed Hat Enterprise Linux ComputeNode Optional (v. 7):\n\nnoarch:\ntomcat-7.0.76-12.el7_8.noarch.rpm\ntomcat-admin-webapps-7.0.76-12.el7_8.noarch.rpm\ntomcat-docs-webapp-7.0.76-12.el7_8.noarch.rpm\ntomcat-el-2.2-api-7.0.76-12.el7_8.noarch.rpm\ntomcat-javadoc-7.0.76-12.el7_8.noarch.rpm\ntomcat-jsp-2.2-api-7.0.76-12.el7_8.noarch.rpm\ntomcat-jsvc-7.0.76-12.el7_8.noarch.rpm\ntomcat-lib-7.0.76-12.el7_8.noarch.rpm\ntomcat-webapps-7.0.76-12.el7_8.noarch.rpm\n\nRed Hat Enterprise Linux Server (v. 7):\n\nSource:\ntomcat-7.0.76-12.el7_8.src.rpm\n\nnoarch:\ntomcat-7.0.76-12.el7_8.noarch.rpm\ntomcat-admin-webapps-7.0.76-12.el7_8.noarch.rpm\ntomcat-el-2.2-api-7.0.76-12.el7_8.noarch.rpm\ntomcat-jsp-2.2-api-7.0.76-12.el7_8.noarch.rpm\ntomcat-lib-7.0.76-12.el7_8.noarch.rpm\ntomcat-servlet-3.0-api-7.0.76-12.el7_8.noarch.rpm\ntomcat-webapps-7.0.76-12.el7_8.noarch.rpm\n\nRed Hat Enterprise Linux Server Optional (v. 7):\n\nnoarch:\ntomcat-7.0.76-12.el7_8.noarch.rpm\ntomcat-admin-webapps-7.0.76-12.el7_8.noarch.rpm\ntomcat-docs-webapp-7.0.76-12.el7_8.noarch.rpm\ntomcat-el-2.2-api-7.0.76-12.el7_8.noarch.rpm\ntomcat-javadoc-7.0.76-12.el7_8.noarch.rpm\ntomcat-jsp-2.2-api-7.0.76-12.el7_8.noarch.rpm\ntomcat-jsvc-7.0.76-12.el7_8.noarch.rpm\ntomcat-lib-7.0.76-12.el7_8.noarch.rpm\ntomcat-webapps-7.0.76-12.el7_8.noarch.rpm\n\nRed Hat Enterprise Linux Workstation (v. 7):\n\nSource:\ntomcat-7.0.76-12.el7_8.src.rpm\n\nnoarch:\ntomcat-7.0.76-12.el7_8.noarch.rpm\ntomcat-admin-webapps-7.0.76-12.el7_8.noarch.rpm\ntomcat-el-2.2-api-7.0.76-12.el7_8.noarch.rpm\ntomcat-jsp-2.2-api-7.0.76-12.el7_8.noarch.rpm\ntomcat-lib-7.0.76-12.el7_8.noarch.rpm\ntomcat-servlet-3.0-api-7.0.76-12.el7_8.noarch.rpm\ntomcat-webapps-7.0.76-12.el7_8.noarch.rpm\n\nRed Hat Enterprise Linux Workstation Optional (v. 7):\n\nnoarch:\ntomcat-docs-webapp-7.0.76-12.el7_8.noarch.rpm\ntomcat-javadoc-7.0.76-12.el7_8.noarch.rpm\ntomcat-jsvc-7.0.76-12.el7_8.noarch.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2020-9484\nhttps://access.redhat.com/security/updates/classification/#important\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2020 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBXuH9rtzjgjWX9erEAQiuZA/7BY8EEQxcPpMTuZ1szv08nHLdHOShDyEr\nUqhsbGTHUgsqb+cIwbOJrz3nn66y4S/5MIDyUUI/77t5/z/LR8rD7zM+6mPcQyVy\nQjSTPH8xiVNq4CyMCJggmsb+jecS5BHRDEhHKjEyuqWCx9wJlQQTTFMvlUBypXLt\nAxJqARUjSFmgxSdjbZDhDIzpNH5RR0lyKCuHf9yd+X9FNomFEAFIjLz6oSXDiMYp\nLf4YPas24BmF7CXTajzecKM2PZZEehtNVFFQLi96APXLQq8uZBw+8d4gTSq7SEsy\nU6MZm3R+1Lp9BgGgxD80dRDoAIFL1KNRKJnRUPan+SSKYLPkU2dOwdPVd2t4OxY1\nwhBcfo8z6zsGTHIxXu7756/AUYhBkvrI2CVOp1tzM+SMDlLkJL9eBuTbXw98ipI0\njAUKlqxksz///7ZCWugsLt9VhDZRSXUSk7JQ4ASQ9bQFouzsUiEv0MSTRW+ym9HU\n8/FjgG/yznR3DrHOjKVY++Dw2LUg2lv/viBVjCl2h9lZoULK3eBwIUJ0fOYCRUOK\nmytOuin4i+pI+jHCm/W91sK+piAB5yirVpqra98zXaDGayN+V6mdTr3omPsNDMP5\nVtOWpWiInHKmeN1cErONkxeAT/zHdFagRXEhqbnArSoZIC/SV4KrykDGHw+ldO/o\nyI/DufEuzcM\\xbfNT\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. ==========================================================================\nUbuntu Security Notice USN-4596-1\nOctober 21, 2020\n\ntomcat9 vulnerabilities\n==========================================================================\n\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 20.04 LTS\n\nSummary:\n\nSeveral security issues were fixed in Tomcat. An\nattacker could possibly use this to cause Tomcat to consume resources,\nresulting in a denial of service. (CVE-2020-11996)\n\nIt was discovered that Tomcat did not properly release the HTTP/1.1\nprocessor after the upgrade to HTTP/2. An attacker could possibly use\nthis to generate an OutOfMemoryException, resulting in a denial of\nservice. (CVE-2020-13934)\n\nIt was discovered that Tomcat did not properly validate the payload\nlength in a WebSocket frame. An attacker could possibly use this to\ntrigger an infinite loop, resulting in a denial of service. (CVE-2020-13935)\n\nIt was discovered that Tomcat did not properly deserialize untrusted\ndata. An attacker could possibly use this issue to execute arbitrary\ncode. (CVE-2020-9484)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 20.04 LTS:\n libtomcat9-embed-java 9.0.31-1ubuntu0.1\n libtomcat9-java 9.0.31-1ubuntu0.1\n tomcat9 9.0.31-1ubuntu0.1\n tomcat9-common 9.0.31-1ubuntu0.1\n\nIn general, a standard system update will make all the necessary changes. \n\nFor the stable distribution (buster), these problems have been fixed in\nversion 9.0.31-1~deb10u2. \n\nWe recommend that you upgrade your tomcat9 packages. \n\nFor the detailed security status of tomcat9 please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/tomcat9\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n-----BEGIN PGP SIGNATURE-----\n\niQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl8R6BwACgkQEMKTtsN8\nTjbUrw//fOLw1bfjQwHr4fug5xgGtIjccQvMgZ6r4jVWDNUWGns/n0HBIg7IFANW\n1LTBXunNygapGke96Cexs/mimcs47wr9Xj6B9R7935NgF7dbXiDPhX99fmMSu4qE\nmpt9GmynGSOqr2qt+bHMZSIrZ2rpT/WoDbmnVvK0h30Il7VZ2pMEbzq7gd7sfsbO\n0FbQr9kza5d5kvih7DLfq/7plhLouyUhzAab3UUJvI1B3ASD4pfEFDSmBJusHJGG\n2CTtrO8IFUyYW0ev4/I2KT6rrFiXccEtFhUlpU09SLpy96FP161UVoHILkPHhfqI\n9XILKEf0mKVlDfq5q2TOY5WVl8palc5o/Z3xefO4/wZc7/qNNnyzwcNHl6s14czv\nREID8Llfbro3/XWHkwLXPNFr1VzYXZSX1XhTwKWPWaH+L5WsUSr5uryqIUvSQ96L\ntTWv3G7KZDwVlio1XJ1t7ZxMkKqEBjvucShFgaOIw1nVD1IrssMKMz9UJQCd4fH5\nRtUakyBzUuPbAhUcunMj23n2slZ9WbCANIGKy56O6R71rYI9mYOG2nF2IuUct/F2\niG3/SLJCe2ghVx2Lgz8/nBhZfPEF5FZ2kPHb9KpjjyZ+vl8ZXH83heaYDlDAknXS\nbTsyFezxJiAwaa9xozjItZPdIBFP9lG8Txmv1AotH7WV/8dRsOU=\n=E8Ei\n-----END PGP SIGNATURE-----\n", "sources": [ { "db": "NVD", "id": "CVE-2020-9484" }, { "db": "VULHUB", "id": "VHN-187609" }, { "db": "VULMON", "id": "CVE-2020-9484" }, { "db": "PACKETSTORM", "id": "158030" }, { "db": "PACKETSTORM", "id": "158029" }, { "db": "PACKETSTORM", "id": "158050" }, { "db": "PACKETSTORM", "id": "158621" }, { "db": "PACKETSTORM", "id": "158761" }, { "db": "PACKETSTORM", "id": "158049" }, { "db": "PACKETSTORM", "id": "158034" }, { "db": "PACKETSTORM", "id": "159666" }, { "db": "PACKETSTORM", "id": "168857" } ], "trust": 1.89 }, "exploit_availability": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/exploit_availability#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "reference": "https://www.scap.org.cn/vuln/vhn-187609", "trust": 0.1, "type": "unknown" } ], "sources": [ { "db": "VULHUB", "id": "VHN-187609" } ] }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2020-9484", "trust": 2.1 }, { "db": "PACKETSTORM", "id": "157924", "trust": 1.1 }, { "db": "MCAFEE", "id": "SB10332", "trust": 1.1 }, { "db": "OPENWALL", "id": "OSS-SECURITY/2021/03/01/2", "trust": 1.1 }, { "db": "PACKETSTORM", "id": "158029", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "158030", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "158761", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "158049", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "159666", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "158034", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "158050", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "158621", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "167841", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "158032", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "158103", "trust": 0.1 }, { "db": "SEEBUG", "id": "SSVID-98234", "trust": 0.1 }, { "db": "CNVD", "id": "CNVD-2020-34449", "trust": 0.1 }, { "db": "CNNVD", "id": "CNNVD-202005-1078", "trust": 0.1 }, { "db": "VULHUB", "id": "VHN-187609", "trust": 0.1 }, { "db": "VULMON", "id": "CVE-2020-9484", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "168857", "trust": 0.1 } ], "sources": [ { "db": "VULHUB", "id": "VHN-187609" }, { "db": "VULMON", "id": "CVE-2020-9484" }, { "db": "PACKETSTORM", "id": "158030" }, { "db": "PACKETSTORM", "id": "158029" }, { "db": "PACKETSTORM", "id": "158050" }, { "db": "PACKETSTORM", "id": "158621" }, { "db": "PACKETSTORM", "id": "158761" }, { "db": "PACKETSTORM", "id": "158049" }, { "db": "PACKETSTORM", "id": "158034" }, { "db": "PACKETSTORM", "id": "159666" }, { "db": "PACKETSTORM", "id": "168857" }, { "db": "NVD", "id": "CVE-2020-9484" } ] }, "id": "VAR-202005-1052", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VULHUB", "id": "VHN-187609" } ], "trust": 0.01 }, "last_update_date": "2024-07-23T20:45:17.285000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Red Hat: Important: Red Hat JBoss Web Server 5.3.1 security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20202509 - security advisory" }, { "title": "Red Hat: Important: tomcat security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20202530 - security advisory" }, { "title": "Red Hat: Important: Red Hat JBoss Web Server 5.3.1 security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20202506 - security advisory" }, { "title": "Red Hat: Important: Red Hat JBoss Web Server 3.1 Service Pack 9 security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20202487 - security advisory" }, { "title": "Red Hat: Important: tomcat6 security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20202529 - security advisory" }, { "title": "Red Hat: Important: Red Hat JBoss Web Server 3.1 Service Pack 9 security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20202483 - security advisory" }, { "title": "Debian CVElist Bug Report Logs: tomcat9: CVE-2020-9484", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=cc55062b1693f83a222063668ffd932c" }, { "title": "Red Hat: Important: Red Hat support for Spring Boot 2.1.15 security and bug fix update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20203017 - security advisory" }, { "title": "Amazon Linux AMI: ALAS-2020-1389", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=alas-2020-1389" }, { "title": "Amazon Linux AMI: ALAS-2020-1390", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=alas-2020-1390" }, { "title": "Arch Linux Advisories: [ASA-202006-5] tomcat8: arbitrary code execution", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=asa-202006-5" }, { "title": "Amazon Linux 2: ALAS2-2020-1449", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=alas2-2020-1449" }, { "title": "Arch Linux Advisories: [ASA-202006-7] tomcat9: arbitrary code execution", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=asa-202006-7" }, { "title": "Arch Linux Advisories: [ASA-202005-19] tomcat7: arbitrary code execution", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=asa-202005-19" }, { "title": "Amazon Linux AMI: ALAS-2021-1493", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=alas-2021-1493" }, { "title": "Amazon Linux 2: ALASTOMCAT8.5-2023-008", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=alastomcat8.5-2023-008" }, { "title": "Amazon Linux AMI: ALAS-2021-1491", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=alas-2021-1491" }, { "title": "Arch Linux Advisories: [ASA-202005-18] tomcat9: arbitrary code execution", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=asa-202005-18" }, { "title": "Arch Linux Advisories: [ASA-202006-6] tomcat7: arbitrary code execution", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=asa-202006-6" }, { "title": "Arch Linux Advisories: [ASA-202005-20] tomcat8: arbitrary code execution", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_advisories\u0026qid=asa-202005-20" }, { "title": "Arch Linux Issues: ", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=cve-2020-9484 log" }, { "title": "Debian Security Advisories: DSA-4727-1 tomcat9 -- security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=948379f644728cd78397969845b23817" }, { "title": "Debian Security Advisories: DSA-5265-1 tomcat9 -- security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories\u0026qid=5ff46eee51fe9c568d7579825e9f7646" }, { "title": "Ubuntu Security Notice: USN-5360-1: Tomcat vulnerabilities", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=usn-5360-1" }, { "title": "Amazon Linux 2: ALASTOMCAT8.5-2023-009", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=alastomcat8.5-2023-009" }, { "title": "IBM: Security Bulletin: Vulnerabilities in Apache Tomcat affects IBM Platform Symphony", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=b4bdf241c7e678e09423e98e7d3134b8" }, { "title": "IBM: Security Bulletin: Multiple Apache Tomcat Vulnerabilities Affect IBM Control Center", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog\u0026qid=6625900b3dffe0c4351300480ad4824f" }, { "title": "Red Hat: Important: Red Hat Fuse 7.11.0 release and security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20225532 - security advisory" }, { "title": "https://github.com/osamahamad/CVE-2020-9484-Mass-Scan", "trust": 0.1, "url": "https://github.com/osamahamad/cve-2020-9484-mass-scan " }, { "title": "https://github.com/anjai94/CVE-2020-9484-exploit", "trust": 0.1, "url": "https://github.com/anjai94/cve-2020-9484-exploit " }, { "title": "CVE-2020-9484", "trust": 0.1, "url": "https://github.com/dxy0411/cve-2020-9484 " }, { "title": "CVE-2020-9484", "trust": 0.1, "url": "https://github.com/assassinukg/cve-2020-9484 " }, { "title": "summary", "trust": 0.1, "url": "https://github.com/catbamboo/catbamboo.github.io " } ], "sources": [ { "db": "VULMON", "id": "CVE-2020-9484" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-502", "trust": 1.1 } ], "sources": [ { "db": "VULHUB", "id": "VHN-187609" }, { "db": "NVD", "id": "CVE-2020-9484" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 1.1, "url": "https://security.netapp.com/advisory/ntap-20200528-0005/" }, { "trust": 1.1, "url": "https://www.debian.org/security/2020/dsa-4727" }, { "trust": 1.1, "url": "http://seclists.org/fulldisclosure/2020/jun/6" }, { "trust": 1.1, "url": "https://security.gentoo.org/glsa/202006-21" }, { "trust": 1.1, "url": "http://packetstormsecurity.com/files/157924/apache-tomcat-cve-2020-9484-proof-of-concept.html" }, { "trust": 1.1, "url": "https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3cannounce.tomcat.apache.org%3e" }, { "trust": 1.1, "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "trust": 1.1, "url": "https://www.oracle.com/security-alerts/cpuapr2021.html" }, { "trust": 1.1, "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "trust": 1.1, "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "trust": 1.1, "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "trust": 1.1, "url": "https://www.oracle.com/security-alerts/cpujul2022.html" }, { "trust": 1.1, "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "trust": 1.1, "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" }, { "trust": 1.1, "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00020.html" }, { "trust": 1.1, "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html" }, { "trust": 1.1, "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html" }, { "trust": 1.1, "url": "http://www.openwall.com/lists/oss-security/2021/03/01/2" }, { "trust": 1.1, "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.html" }, { "trust": 1.1, "url": "https://usn.ubuntu.com/4448-1/" }, { "trust": 1.1, "url": "https://usn.ubuntu.com/4596-1/" }, { "trust": 1.0, "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=sb10332" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77%40%3cusers.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c%40%3ccommits.tomee.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469%40%3cusers.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3cusers.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307926c1f7cd5400c%40%3ccommits.tomee.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f%40%3ccommits.tomee.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f%40%3cusers.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3%40%3ccommits.tomee.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119%40%3ccommits.tomee.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926%40%3cusers.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3cannounce.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3cannounce.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3cdev.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3cusers.tomcat.apache.org%3e" }, { "trust": 1.0, "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/giqhxentlyunoes4lxvnj2ncuqqrf5vj/" }, { "trust": 1.0, "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/wj7xhkwjwdnwxujh6ub7cliw4twoz26n/" }, { "trust": 0.9, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-9484" }, { "trust": 0.6, "url": "https://www.redhat.com/mailman/listinfo/rhsa-announce" }, { "trust": 0.6, "url": "https://bugzilla.redhat.com/):" }, { "trust": 0.6, "url": "https://access.redhat.com/security/cve/cve-2020-9484" }, { "trust": 0.6, "url": "https://access.redhat.com/security/team/contact/" }, { "trust": 0.6, "url": "https://access.redhat.com/security/updates/classification/#important" }, { "trust": 0.3, "url": "https://access.redhat.com/security/team/key/" }, { "trust": 0.3, "url": "https://access.redhat.com/articles/11258" }, { "trust": 0.3, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-13935" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11996" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-13934" }, { "trust": 0.1, "url": "https://kc.mcafee.com/corporate/index?page=content\u0026amp;id=sb10332" }, { "trust": 0.1, "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/wj7xhkwjwdnwxujh6ub7cliw4twoz26n/" }, { "trust": 0.1, "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/giqhxentlyunoes4lxvnj2ncuqqrf5vj/" }, { "trust": 0.1, "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3cannounce.apache.org%3e" }, { "trust": 0.1, "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3cannounce.tomcat.apache.org%3e" }, { "trust": 0.1, "url": "https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2@%3cdev.tomcat.apache.org%3e" }, { "trust": 0.1, "url": "https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed@%3cdev.tomcat.apache.org%3e" }, { "trust": 0.1, "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3cdev.tomcat.apache.org%3e" }, { "trust": 0.1, "url": "https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3cdev.tomcat.apache.org%3e" }, { "trust": 0.1, "url": "https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c@%3cdev.tomcat.apache.org%3e" }, { "trust": 0.1, "url": "https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926@%3cusers.tomcat.apache.org%3e" }, { "trust": 0.1, "url": "https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469@%3cusers.tomcat.apache.org%3e" }, { "trust": 0.1, "url": "https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3cusers.tomcat.apache.org%3e" }, { "trust": 0.1, "url": "https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f@%3cusers.tomcat.apache.org%3e" }, { "trust": 0.1, "url": "https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc@%3cusers.tomcat.apache.org%3e" }, { "trust": 0.1, "url": "https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3cusers.tomcat.apache.org%3e" }, { "trust": 0.1, "url": "https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3@%3ccommits.tomee.apache.org%3e" }, { "trust": 0.1, "url": "https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119@%3ccommits.tomee.apache.org%3e" }, { "trust": 0.1, "url": "https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c@%3ccommits.tomee.apache.org%3e" }, { "trust": 0.1, "url": "https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f@%3ccommits.tomee.apache.org%3e" }, { "trust": 0.1, "url": "https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307926c1f7cd5400c@%3ccommits.tomee.apache.org%3e" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2020:2487" }, { "trust": 0.1, "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=webserver\u0026downloadtype=securitypatches\u0026version=3.1" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2020:2483" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2020:2529" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2020:3017" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.1/html-single/release_notes_for_spring_boot_2.1/index" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-1714" }, { "trust": 0.1, "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product\\xcatrhoar.spring.boot\u0026version=2.1.15" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2020-1714" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/tomcat8/8.0.32-1ubuntu1.13" }, { "trust": 0.1, "url": "https://usn.ubuntu.com/4448-1" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2020-1935" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2020:2530" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2020:2509" }, { "trust": 0.1, "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=webserver\u0026downloadtype=securitypatches\u0026version=5.3" }, { "trust": 0.1, "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/5.3/" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.1" }, { "trust": 0.1, "url": "https://usn.ubuntu.com/4596-1" }, { "trust": 0.1, "url": "https://www.debian.org/security/faq" }, { "trust": 0.1, "url": "https://security-tracker.debian.org/tracker/tomcat9" }, { "trust": 0.1, "url": "https://www.debian.org/security/" } ], "sources": [ { "db": "VULHUB", "id": "VHN-187609" }, { "db": "PACKETSTORM", "id": "158030" }, { "db": "PACKETSTORM", "id": "158029" }, { "db": "PACKETSTORM", "id": "158050" }, { "db": "PACKETSTORM", "id": "158621" }, { "db": "PACKETSTORM", "id": "158761" }, { "db": "PACKETSTORM", "id": "158049" }, { "db": "PACKETSTORM", "id": "158034" }, { "db": "PACKETSTORM", "id": "159666" }, { "db": "PACKETSTORM", "id": "168857" }, { "db": "NVD", "id": "CVE-2020-9484" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULHUB", "id": "VHN-187609" }, { "db": "VULMON", "id": "CVE-2020-9484" }, { "db": "PACKETSTORM", "id": "158030" }, { "db": "PACKETSTORM", "id": "158029" }, { "db": "PACKETSTORM", "id": "158050" }, { "db": "PACKETSTORM", "id": "158621" }, { "db": "PACKETSTORM", "id": "158761" }, { "db": "PACKETSTORM", "id": "158049" }, { "db": "PACKETSTORM", "id": "158034" }, { "db": "PACKETSTORM", "id": "159666" }, { "db": "PACKETSTORM", "id": "168857" }, { "db": "NVD", "id": "CVE-2020-9484" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2020-05-20T00:00:00", "db": "VULHUB", "id": "VHN-187609" }, { "date": "2020-05-20T00:00:00", "db": "VULMON", "id": "CVE-2020-9484" }, { "date": "2020-06-11T16:33:05", "db": "PACKETSTORM", "id": "158030" }, { "date": "2020-06-11T16:32:58", "db": "PACKETSTORM", "id": "158029" }, { "date": "2020-06-11T16:36:37", "db": "PACKETSTORM", "id": "158050" }, { "date": "2020-07-27T18:44:59", "db": "PACKETSTORM", "id": "158621" }, { "date": "2020-08-05T15:19:31", "db": "PACKETSTORM", "id": "158761" }, { "date": "2020-06-11T16:36:30", "db": "PACKETSTORM", "id": "158049" }, { "date": "2020-06-11T16:33:52", "db": "PACKETSTORM", "id": "158034" }, { "date": "2020-10-21T15:52:39", "db": "PACKETSTORM", "id": "159666" }, { "date": "2020-07-28T19:12:00", "db": "PACKETSTORM", "id": "168857" }, { "date": "2020-05-20T19:15:09.257000", "db": "NVD", "id": "CVE-2020-9484" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-07-25T00:00:00", "db": "VULHUB", "id": "VHN-187609" }, { "date": "2023-11-07T00:00:00", "db": "VULMON", "id": "CVE-2020-9484" }, { "date": "2023-11-07T03:26:54.770000", "db": "NVD", "id": "CVE-2020-9484" } ] }, "threat_type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/threat_type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "remote", "sources": [ { "db": "PACKETSTORM", "id": "158761" } ], "trust": 0.1 }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Red Hat Security Advisory 2020-2487-01", "sources": [ { "db": "PACKETSTORM", "id": "158030" } ], "trust": 0.1 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "code execution", "sources": [ { "db": "PACKETSTORM", "id": "158030" }, { "db": "PACKETSTORM", "id": "158029" }, { "db": "PACKETSTORM", "id": "158621" }, { "db": "PACKETSTORM", "id": "158034" }, { "db": "PACKETSTORM", "id": "168857" } ], "trust": 0.5 } }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.