Apache Tomcat – CVE-2021-25329 Incomplete fix for CVE-2020-9484 (RCE via session persistence)

March 8, 2021 Jason Davies 2937 Views 0 Comments Apache Tomcat, CVE-2020-9484, CVE-2021-25329 0 min read

The fix for CVE-2020-9484 was incomplete. When using a highly unlikely configuration edge case, the Tomcat instance was still vulnerable to CVE-2020-9484.

Note that both the previously published prerequisites for CVE-2020-9484 also apply to this issue.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:

Upgrade to Apache Tomcat 10.0.2 or later
Upgrade to Apache Tomcat 9.0.43 or later
Upgrade to Apache Tomcat 8.5.63 or later
Upgrade to Apache Tomcat 7.0.108 or later
the the previously published non-upgrade mitigations for CVE-2020-9484
also apply to this issue

Note that issue was fixed in 10.0.1, 9.0.42 and 8.5.62 but the release
votes for those versions did not pass.

Jason Davies

I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.

Apache Tomcat – CVE-2021-25329 Incomplete fix for CVE-2020-9484 (RCE via session persistence)

Like this:

Related Posts

Jason Davies

Leave a ReplyCancel reply

Share this:

Like this:

Related Posts

Jason Davies

Leave a ReplyCancel reply