Tomcat Vulnerabilities on and


Article ID: 211238


Updated On:


CA Single Sign On Agents (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) SITEMINDER CA Single Sign On Federation (SiteMinder)



Tomcat and have vulnerabilities CVE-2021-25122 (1)
and CVE-2021-25329 (2).




Siteminder is not impacted, nor affected by these vulnerabilities.


  Siteminder is not impacted by this vulnerability, as this issue is more
  related to h2c connections, which are more related to Http/2 over TCP.
  Reference:h2c is HTTP/2 over TCP (3).


  Siteminder is not affected as we do not configure the persistence
  manager and we generally are at the default level so we don't
  configure PersistenceManager hence we are not affected (4).


Additional Information





     When responding to new h2c connection requests, Apache Tomcat versions
     10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, and 8.5.0 to 8.5.61 could
     duplicate request headers and a limited amount of request body from
     one request to another meaning user A and user B could both see the
     results of user A's request.




     The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat
     10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or
     7.0.0. to 7.0.107 with a configuration edge case that was highly
     unlikely to be used, the Tomcat instance was still vulnerable to
     CVE-2020-9494. Note that both the previously published prerequisites
     for CVE-2020-9484 and the previously published mitigations for
     CVE-2020-9484 also apply to this issue (4).


   HTTP/2 guide,in%20the%20official%20documentation%20section


   Fixed in Apache Tomcat 7.0.104

     High: Remote Code Execution via session persistence CVE-2020-9484


       - an attacker is able to control the contents and name of a
         file on the server; and
       - the server is configured to use the PersistenceManager with a
         FileStore; and
       - the PersistenceManager is configured with
         sessionAttributeValueClassNameFilter="null" (the default
         unless a SecurityManager is used) or a sufficiently lax
         filter to allow the attacker provided object to be
         deserialized; and
       - the attacker knows the relative file path from the storage
         location used by FileStore to the file the attacker has
         control over;

     then, using a specifically crafted request, the attacker will be able
     to trigger remote code execution via deserialization of the file under
     their control.

     Note: All of conditions above must be true for the attack to succeed.