Tomcat 220.127.116.11 and 18.104.22.168 have vulnerabilities CVE-2021-25122 (1)
and CVE-2021-25329 (2).
Siteminder is not impacted, nor affected by these vulnerabilities.
Siteminder is not impacted by this vulnerability, as this issue is more
related to h2c connections, which are more related to Http/2 over TCP.
Reference:h2c is HTTP/2 over TCP (3).
Siteminder is not affected as we do not configure the persistence
manager and we generally are at the default level so we don't
configure PersistenceManager hence we are not affected (4).
When responding to new h2c connection requests, Apache Tomcat versions
10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, and 8.5.0 to 8.5.61 could
duplicate request headers and a limited amount of request body from
one request to another meaning user A and user B could both see the
results of user A's request.
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat
10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or
7.0.0. to 7.0.107 with a configuration edge case that was highly
unlikely to be used, the Tomcat instance was still vulnerable to
CVE-2020-9494. Note that both the previously published prerequisites
for CVE-2020-9484 and the previously published mitigations for
CVE-2020-9484 also apply to this issue (4).
Fixed in Apache Tomcat 7.0.104
High: Remote Code Execution via session persistence CVE-2020-9484
- an attacker is able to control the contents and name of a
file on the server; and
- the server is configured to use the PersistenceManager with a
- the PersistenceManager is configured with
sessionAttributeValueClassNameFilter="null" (the default
unless a SecurityManager is used) or a sufficiently lax
filter to allow the attacker provided object to be
- the attacker knows the relative file path from the storage
location used by FileStore to the file the attacker has
then, using a specifically crafted request, the attacker will be able
to trigger remote code execution via deserialization of the file under
Note: All of conditions above must be true for the attack to succeed.