First published: Mon Mar 01 2021(Updated: )
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jws5-ecj | <0:4.12.0-3.redhat_2.2.el7 | 0:4.12.0-3.redhat_2.2.el7 |
redhat/jws5-tomcat | <0:9.0.43-11.redhat_00011.1.el7 | 0:9.0.43-11.redhat_00011.1.el7 |
redhat/jws5-tomcat-native | <0:1.2.26-3.redhat_3.el7 | 0:1.2.26-3.redhat_3.el7 |
redhat/jws5-tomcat-vault | <0:1.1.8-2.Final_redhat_00003.1.el7 | 0:1.1.8-2.Final_redhat_00003.1.el7 |
redhat/jws5-ecj | <0:4.12.0-3.redhat_2.2.el8 | 0:4.12.0-3.redhat_2.2.el8 |
redhat/jws5-tomcat | <0:9.0.43-11.redhat_00011.1.el8 | 0:9.0.43-11.redhat_00011.1.el8 |
redhat/jws5-tomcat-native | <0:1.2.26-3.redhat_3.el8 | 0:1.2.26-3.redhat_3.el8 |
redhat/jws5-tomcat-vault | <0:1.1.8-2.Final_redhat_00003.1.el8 | 0:1.1.8-2.Final_redhat_00003.1.el8 |
redhat/tomcat | <10.0.2 | 10.0.2 |
redhat/tomcat | <9.0.43 | 9.0.43 |
redhat/tomcat | <8.5.63 | 8.5.63 |
redhat/tomcat | <7.0.108 | 7.0.108 |
ubuntu/tomcat9 | <9.0.16-3ubuntu0.18.04.2 | 9.0.16-3ubuntu0.18.04.2 |
ubuntu/tomcat9 | <9.0.31-1ubuntu0.2 | 9.0.31-1ubuntu0.2 |
debian/tomcat9 | 9.0.31-1~deb10u6 9.0.31-1~deb10u12 9.0.43-2~deb11u9 9.0.43-2~deb11u10 9.0.70-2 | |
Apache Tomcat | >=7.0.0<=7.0.107 | |
Apache Tomcat | >=8.5.0<=8.5.61 | |
Apache Tomcat | >=9.0.0<=9.0.41 | |
Apache Tomcat | =9.0.0-milestone1 | |
Apache Tomcat | =9.0.0-milestone10 | |
Apache Tomcat | =9.0.0-milestone11 | |
Apache Tomcat | =9.0.0-milestone12 | |
Apache Tomcat | =9.0.0-milestone13 | |
Apache Tomcat | =9.0.0-milestone14 | |
Apache Tomcat | =9.0.0-milestone15 | |
Apache Tomcat | =9.0.0-milestone16 | |
Apache Tomcat | =9.0.0-milestone17 | |
Apache Tomcat | =9.0.0-milestone18 | |
Apache Tomcat | =9.0.0-milestone19 | |
Apache Tomcat | =9.0.0-milestone2 | |
Apache Tomcat | =9.0.0-milestone20 | |
Apache Tomcat | =9.0.0-milestone21 | |
Apache Tomcat | =9.0.0-milestone22 | |
Apache Tomcat | =9.0.0-milestone23 | |
Apache Tomcat | =9.0.0-milestone24 | |
Apache Tomcat | =9.0.0-milestone25 | |
Apache Tomcat | =9.0.0-milestone26 | |
Apache Tomcat | =9.0.0-milestone27 | |
Apache Tomcat | =9.0.0-milestone3 | |
Apache Tomcat | =9.0.0-milestone4 | |
Apache Tomcat | =9.0.0-milestone5 | |
Apache Tomcat | =9.0.0-milestone6 | |
Apache Tomcat | =9.0.0-milestone7 | |
Apache Tomcat | =9.0.0-milestone8 | |
Apache Tomcat | =9.0.0-milestone9 | |
Apache Tomcat | =10.0.0 | |
Apache Tomcat | =10.0.0-milestone1 | |
Apache Tomcat | =10.0.0-milestone10 | |
Apache Tomcat | =10.0.0-milestone2 | |
Apache Tomcat | =10.0.0-milestone3 | |
Apache Tomcat | =10.0.0-milestone4 | |
Apache Tomcat | =10.0.0-milestone5 | |
Apache Tomcat | =10.0.0-milestone6 | |
Apache Tomcat | =10.0.0-milestone7 | |
Apache Tomcat | =10.0.0-milestone8 | |
Apache Tomcat | =10.0.0-milestone9 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Oracle Agile PLM | =9.3.3 | |
Oracle Agile PLM | =9.3.6 | |
Oracle Communications Cloud Native Core Policy | =1.14.0 | |
Oracle Communications Cloud Native Core Security Edge Protection Proxy | =1.6.0 | |
Oracle Communications Instant Messaging Server | =10.0.1.5.0 | |
Oracle Database | =12.2.0.1 | |
Oracle Database | =19c | |
Oracle Database | =21c | |
Oracle Graph Server And Client | <21.3.0 | |
Oracle Instantis Enterprisetrack | =17.1 | |
Oracle Instantis Enterprisetrack | =17.2 | |
Oracle Instantis Enterprisetrack | =17.3 | |
Oracle Managed File Transfer | =12.2.1.3.0 | |
Oracle Managed File Transfer | =12.2.1.4.0 | |
Oracle Mysql Enterprise Monitor | <=8.0.23 | |
Oracle Siebel Ui Framework | <21.9 | |
Oracle Siebel Ui Framework | =21.9 |
Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized. For more details about the configuration, refer to the Apache Tomcat 9 Configuration Reference https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2021-25329 is a vulnerability in Apache Tomcat that allows remote attackers to execute arbitrary code or cause a denial of service.
CVE-2021-25329 has a high severity rating with a CVSS score of 7.0.
CVE-2021-25329 affects Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61, and 7.0.0 to 7.0.107.
To fix CVE-2021-25329, you should upgrade Apache Tomcat to version 10.0.2, 9.0.43, 8.5.63, or 7.0.108, depending on the affected version.
You can find more information about CVE-2021-25329 at the following references: [Reference 1](https://access.redhat.com/security/cve/CVE-2020-9484), [Reference 2](https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4), [Reference 3](https://github.com/apache/tomcat/commit/4785433a226a20df6acbea49296e1ce7e23de453).