CVE-2021-25329: Incomplete fix for CVE-2020-9484
First published: Mon Mar 01 2021(Updated: )
Last updated 2 August 2024
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jws5-ecj | <0:4.12.0-3.redhat_2.2.el7 | 0:4.12.0-3.redhat_2.2.el7 |
| redhat/jws5-tomcat | <0:9.0.43-11.redhat_00011.1.el7 | 0:9.0.43-11.redhat_00011.1.el7 |
| redhat/jws5-tomcat-native | <0:1.2.26-3.redhat_3.el7 | 0:1.2.26-3.redhat_3.el7 |
| redhat/jws5-tomcat-vault | <0:1.1.8-2.Final_redhat_00003.1.el7 | 0:1.1.8-2.Final_redhat_00003.1.el7 |
| redhat/jws5-ecj | <0:4.12.0-3.redhat_2.2.el8 | 0:4.12.0-3.redhat_2.2.el8 |
| redhat/jws5-tomcat | <0:9.0.43-11.redhat_00011.1.el8 | 0:9.0.43-11.redhat_00011.1.el8 |
| redhat/jws5-tomcat-native | <0:1.2.26-3.redhat_3.el8 | 0:1.2.26-3.redhat_3.el8 |
| redhat/jws5-tomcat-vault | <0:1.1.8-2.Final_redhat_00003.1.el8 | 0:1.1.8-2.Final_redhat_00003.1.el8 |
| redhat/tomcat | <10.0.2 | 10.0.2 |
| redhat/tomcat | <9.0.43 | 9.0.43 |
| redhat/tomcat | <8.5.63 | 8.5.63 |
| redhat/tomcat | <7.0.108 | 7.0.108 |
| Tomcat | >=7.0.0<=7.0.107 | |
| Tomcat | >=8.5.0<=8.5.61 | |
| Tomcat | >=9.0.0<=9.0.41 | |
| Tomcat | =9.0.0-milestone1 | |
| Tomcat | =9.0.0-milestone10 | |
| Tomcat | =9.0.0-milestone11 | |
| Tomcat | =9.0.0-milestone12 | |
| Tomcat | =9.0.0-milestone13 | |
| Tomcat | =9.0.0-milestone14 | |
| Tomcat | =9.0.0-milestone15 | |
| Tomcat | =9.0.0-milestone16 | |
| Tomcat | =9.0.0-milestone17 | |
| Tomcat | =9.0.0-milestone18 | |
| Tomcat | =9.0.0-milestone19 | |
| Tomcat | =9.0.0-milestone2 | |
| Tomcat | =9.0.0-milestone20 | |
| Tomcat | =9.0.0-milestone21 | |
| Tomcat | =9.0.0-milestone22 | |
| Tomcat | =9.0.0-milestone23 | |
| Tomcat | =9.0.0-milestone24 | |
| Tomcat | =9.0.0-milestone25 | |
| Tomcat | =9.0.0-milestone26 | |
| Tomcat | =9.0.0-milestone27 | |
| Tomcat | =9.0.0-milestone3 | |
| Tomcat | =9.0.0-milestone4 | |
| Tomcat | =9.0.0-milestone5 | |
| Tomcat | =9.0.0-milestone6 | |
| Tomcat | =9.0.0-milestone7 | |
| Tomcat | =9.0.0-milestone8 | |
| Tomcat | =9.0.0-milestone9 | |
| Tomcat | =10.0.0 | |
| Tomcat | =10.0.0-milestone1 | |
| Tomcat | =10.0.0-milestone10 | |
| Tomcat | =10.0.0-milestone2 | |
| Tomcat | =10.0.0-milestone3 | |
| Tomcat | =10.0.0-milestone4 | |
| Tomcat | =10.0.0-milestone5 | |
| Tomcat | =10.0.0-milestone6 | |
| Tomcat | =10.0.0-milestone7 | |
| Tomcat | =10.0.0-milestone8 | |
| Tomcat | =10.0.0-milestone9 | |
| Debian Linux | =9.0 | |
| Debian Linux | =10.0 | |
| Oracle Agile Product Lifecycle Management Framework | =9.3.3 | |
| Oracle Agile Product Lifecycle Management Framework | =9.3.6 | |
| Oracle Communications Cloud Native Core Policy | =1.14.0 | |
| Oracle Communications Cloud Native Core Network Repository Function | =1.6.0 | |
| Oracle Communications Instant Messaging Server | =10.0.1.5.0 | |
| Oracle Database | =12.2.0.1 | |
| Oracle Database | =19c | |
| Oracle Database | =21c | |
| Oracle Client | <21.3.0 | |
| Oracle Instantis EnterpriseTrack | =17.1 | |
| Oracle Instantis EnterpriseTrack | =17.2 | |
| Oracle Instantis EnterpriseTrack | =17.3 | |
| Oracle Managed File Transfer | =12.2.1.3.0 | |
| Oracle Managed File Transfer | =12.2.1.4.0 | |
| MySQL Enterprise Monitor | <=8.0.23 | |
| Oracle Siebel User Interface Framework | <21.9 | |
| Oracle Siebel User Interface Framework | =21.9 | |
| debian/tomcat9 | 9.0.43-2~deb11u10 9.0.43-2~deb11u12 9.0.70-2 9.0.95-1 |
Remedy
Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized. For more details about the configuration, refer to the Apache Tomcat 9 Configuration Reference https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-25329 https://nvd.nist.gov/vuln/detail/CVE-2021-25329 http://mail-archives.apache.org/mod_mbox/tomcat-announce/202103.mbox/%3C811bba77-e74e-9f9b-62ca-5253a09ba84f%40apache.org%3E https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.2 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.108 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.63 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43
- https://bugzilla.redhat.com/show_bug.cgi?id=1934061
- https://access.redhat.com/errata/RHSA-2022:5532
- https://access.redhat.com/errata/RHSA-2021:2562
- https://access.redhat.com/errata/RHSA-2021:2561
- https://access.redhat.com/errata/RHSA-2021:3425
- https://access.redhat.com/security/cve/cve-2021-25329
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/03/01/2
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cusers.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html
- https://security.netapp.com/advisory/ntap-20210409-0002/
- https://www.debian.org/security/2021/dsa-4891
- https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r732b2ca289dc02df2de820e8775559abd6c207f159e39f559547a085@%3Cusers.tomcat.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://security.gentoo.org/glsa/202208-34
- https://launchpad.net/bugs/cve/CVE-2021-25329
- https://access.redhat.com/security/cve/CVE-2020-9484
- https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4
- https://github.com/apache/tomcat/commit/4785433a226a20df6acbea49296e1ce7e23de453
- https://github.com/apache/tomcat/commit/93f0cc403a9210d469afc2bd9cf03ab3251c6f35
- https://github.com/apache/tomcat/commit/74b105657ffbd1d1de80455f03446c3bbf30d1f5
- http://mail-archives.apache.org/mod_mbox/tomcat-announce/202103.mbox/%3C811bba77-e74e-9f9b-62ca-5253a09ba84f%40apache.org%3E
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.2
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43
- https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.63
- https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.108
- https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r732b2ca289dc02df2de820e8775559abd6c207f159e39f559547a085%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cusers.tomcat.apache.org%3E
- https://www.openwall.com/lists/oss-security/2021/03/01/2
- https://security-tracker.debian.org/tracker/CVE-2021-25329
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25329
- https://nvd.nist.gov/vuln/detail/CVE-2021-25329
- https://ubuntu.com/security/CVE-2021-25329
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-25329?
CVE-2021-25329 is a vulnerability in Apache Tomcat that allows remote attackers to execute arbitrary code or cause a denial of service.
How severe is CVE-2021-25329?
CVE-2021-25329 has a high severity rating with a CVSS score of 7.0.
Which versions of Apache Tomcat are affected by CVE-2021-25329?
CVE-2021-25329 affects Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61, and 7.0.0 to 7.0.107.
How can I fix CVE-2021-25329?
To fix CVE-2021-25329, you should upgrade Apache Tomcat to version 10.0.2, 9.0.43, 8.5.63, or 7.0.108, depending on the affected version.
Where can I find more information about CVE-2021-25329?
You can find more information about CVE-2021-25329 at the following references: [Reference 1](https://access.redhat.com/security/cve/CVE-2020-9484), [Reference 2](https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4), [Reference 3](https://github.com/apache/tomcat/commit/4785433a226a20df6acbea49296e1ce7e23de453).
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/severity
- agent/weakness
- collector/mitre-cve
- source/MITRE
- agent/title
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/remedy
- agent/description
- agent/event
- agent/trending
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-25329
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/source
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- collector/security-tracker-debian
- source/Debian
- package-manager/redhat
- vendor/apache
- canonical/tomcat
- version/tomcat/7.0.0
- version/tomcat/7.0.107
- version/tomcat/8.5.0
- version/tomcat/8.5.61
- version/tomcat/9.0.0
- version/tomcat/9.0.41
- version/tomcat/9.0.0-milestone1
- version/tomcat/9.0.0-milestone10
- version/tomcat/9.0.0-milestone11
- version/tomcat/9.0.0-milestone12
- version/tomcat/9.0.0-milestone13
- version/tomcat/9.0.0-milestone14
- version/tomcat/9.0.0-milestone15
- version/tomcat/9.0.0-milestone16
- version/tomcat/9.0.0-milestone17
- version/tomcat/9.0.0-milestone18
- version/tomcat/9.0.0-milestone19
- version/tomcat/9.0.0-milestone2
- version/tomcat/9.0.0-milestone20
- version/tomcat/9.0.0-milestone21
- version/tomcat/9.0.0-milestone22
- version/tomcat/9.0.0-milestone23
- version/tomcat/9.0.0-milestone24
- version/tomcat/9.0.0-milestone25
- version/tomcat/9.0.0-milestone26
- version/tomcat/9.0.0-milestone27
- version/tomcat/9.0.0-milestone3
- version/tomcat/9.0.0-milestone4
- version/tomcat/9.0.0-milestone5
- version/tomcat/9.0.0-milestone6
- version/tomcat/9.0.0-milestone7
- version/tomcat/9.0.0-milestone8
- version/tomcat/9.0.0-milestone9
- version/tomcat/10.0.0
- version/tomcat/10.0.0-milestone1
- version/tomcat/10.0.0-milestone10
- version/tomcat/10.0.0-milestone2
- version/tomcat/10.0.0-milestone3
- version/tomcat/10.0.0-milestone4
- version/tomcat/10.0.0-milestone5
- version/tomcat/10.0.0-milestone6
- version/tomcat/10.0.0-milestone7
- version/tomcat/10.0.0-milestone8
- version/tomcat/10.0.0-milestone9
- vendor/debian
- canonical/debian linux
- version/debian linux/9.0
- version/debian linux/10.0
- vendor/oracle
- canonical/oracle agile product lifecycle management framework
- version/oracle agile product lifecycle management framework/9.3.3
- version/oracle agile product lifecycle management framework/9.3.6
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.14.0
- canonical/oracle communications cloud native core network repository function
- version/oracle communications cloud native core network repository function/1.6.0
- canonical/oracle communications instant messaging server
- version/oracle communications instant messaging server/10.0.1.5.0
- canonical/oracle database
- version/oracle database/12.2.0.1
- version/oracle database/19c
- version/oracle database/21c
- canonical/oracle client
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.2
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle managed file transfer
- version/oracle managed file transfer/12.2.1.3.0
- version/oracle managed file transfer/12.2.1.4.0
- canonical/mysql enterprise monitor
- version/mysql enterprise monitor/8.0.23
- canonical/oracle siebel user interface framework
- version/oracle siebel user interface framework/21.9
- package-manager/debian