A deserialization flaw was discovered in Apache Tomcat’s use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized. For more details about the configuration, refer to the Apache Tomcat 9 Configuration Reference <https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html>.
mail-archives.apache.org/mod_mbox/tomcat-announce/202005.mbox/%3Ce3a0a517-bf82-ba62-0af6-24b83ea0e4e2%40apache.org%3E
tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M5
tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.104
tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.55
tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.35
bugzilla.redhat.com/show_bug.cgi?id=1838332
nvd.nist.gov/vuln/detail/CVE-2020-9484
www.cve.org/CVERecord?id=CVE-2020-9484