Apache Tomcat – CVE-2021-25329 Incomplete fix for CVE-2020-9484 (RCE via session persistence)

The fix for CVE-2020-9484 was incomplete. When using a highly unlikely configuration edge case, the Tomcat instance was still vulnerable to CVE-2020-9484.

Note that both the previously published prerequisites for CVE-2020-9484 also apply to this issue.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:

  • Upgrade to Apache Tomcat 10.0.2 or later
  • Upgrade to Apache Tomcat 9.0.43 or later
  • Upgrade to Apache Tomcat 8.5.63 or later
  • Upgrade to Apache Tomcat 7.0.108 or later
  • the the previously published non-upgrade mitigations for CVE-2020-9484
    also apply to this issue

Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release
votes for those versions did not pass.

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: