Intrusion PreventionApache.Tomcat.Session.Persistence.Remote.Code.Execution
Description
This indicates an attack attempt on a Remote Code Execution Vulnerability in Apache Tomcat.
The vulnerability is due to insufficient validation of user supplied input when handling a maliciously crafted HTTP request. A successful attack may allow a remote attacker to execute arbitrary local files, via a crafted HTTP request.
Affected Products
Apache Tomcat 10.x < 10.0.0-M5
Apache Tomcat 9.x < 9.0.35
Apache Tomcat 8.x < 8.5.55
Apache Tomcat 7.x < 7.0.104
Impact
System Compromise: Remote attackers can gain control of vulnerable systems.
Recommended Actions
Upgrade to Apache Tomcat 10.0.0-M5 or later
Upgrade to Apache Tomcat 9.0.35 or later
Upgrade to Apache Tomcat 8.5.55 or later
Upgrade to Apache Tomcat 7.0.104 or later
Alternatively, users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized.
Telemetry
Coverage
| IPS (Regular DB) | |
| IPS (Extended DB) |
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2020-08-17 | 15.906 | Sig Added |
| 2020-08-12 | 15.904 | Default_action:pass:drop |
| 2020-06-05 | 15.858 |
| ID | 49173 |
| Created | Jun 05, 2020 |
| Updated | Sep 23, 2020 |
| Risk |
|
| CVE ID | CVE-2020-9484 CVE-2021-25329 |
| Exploit Prediction Score | 92.25% |
| Default Action | drop |
| Active | |
| Affected OS | Windows, Linux |
| Affected App | Apache |