{ "threat_severity" : "Low", "public_date" : "2021-03-01T00:00:00Z", "bugzilla" : { "description" : "tomcat: Incomplete fix for CVE-2020-9484 (RCE via session persistence)", "id" : "1934061", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1934061" }, "cvss3" : { "cvss3_base_score" : "7.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-502", "details" : [ "The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue." ], "statement" : "In Red Hat Enterprise Linux 8, Red Hat Certificate System 10 and Identity Management are using the `pki-servlet-engine` component, which embeds a vulnerable version of Tomcat. However, in these specific contexts, the prerequisites to the vulnerability are not met. The PersistentManager is not set, and a SecurityManager is used. The use of `pki-servlet-engine` outside of these contexts is not supported. As a result, the vulnerability can not be triggered in supported configurations of these products.\nRed Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of OpenStack Platform 14 and is only receiving security fixes for Important and Critical flaws.", "affected_release" : [ { "product_name" : "Red Hat Fuse 7.11", "release_date" : "2022-07-07T00:00:00Z", "advisory" : "RHSA-2022:5532", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "tomcat" }, { "product_name" : "Red Hat JBoss Web Server 5", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2562", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5", "package" : "tomcat" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 7", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7", "package" : "jws5-ecj-0:4.12.0-3.redhat_2.2.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 7", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7", "package" : "jws5-mod_cluster-0:1.4.3-2.Final_redhat_00002.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 7", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7", "package" : "jws5-tomcat-0:9.0.43-11.redhat_00011.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 7", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7", "package" : "jws5-tomcat-native-0:1.2.26-3.redhat_3.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 7", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el7", "package" : "jws5-tomcat-vault-0:1.1.8-2.Final_redhat_00003.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 8", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8", "package" : "jws5-ecj-0:4.12.0-3.redhat_2.2.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 8", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8", "package" : "jws5-mod_cluster-0:1.4.3-2.Final_redhat_00002.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 8", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8", "package" : "jws5-tomcat-0:9.0.43-11.redhat_00011.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 8", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8", "package" : "jws5-tomcat-native-0:1.2.26-3.redhat_3.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.5 on RHEL 8", "release_date" : "2021-06-29T00:00:00Z", "advisory" : "RHSA-2021:2561", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.5::el8", "package" : "jws5-tomcat-vault-0:1.1.8-2.Final_redhat_00003.1.el8jws" }, { "product_name" : "Red Hat support for Spring Boot 2.3.10", "release_date" : "2021-09-09T00:00:00Z", "advisory" : "RHSA-2021:3425", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "tomcat" } ], "package_state" : [ { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "tomcat6", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "tomcat", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "pki-deps:10.6/pki-servlet-engine", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat JBoss Data Grid 6", "fix_state" : "Out of support scope", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_grid:6" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Out of support scope", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Web Server 3", "fix_state" : "Will not fix", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-25329\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-25329\nhttp://mail-archives.apache.org/mod_mbox/tomcat-announce/202103.mbox/%3C811bba77-e74e-9f9b-62ca-5253a09ba84f%40apache.org%3E\nhttps://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.2\nhttps://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.108\nhttps://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.63\nhttps://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43" ], "name" : "CVE-2021-25329", "mitigation" : { "value" : "Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized. For more details about the configuration, refer to the Apache Tomcat 9 Configuration Reference https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html.", "lang" : "en:us" }, "csaw" : false }