CVE-2021-25329
First published: Mon Mar 01 2021(Updated: )
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jws5-ecj | <0:4.12.0-3.redhat_2.2.el7 | 0:4.12.0-3.redhat_2.2.el7 |
| redhat/jws5-tomcat | <0:9.0.43-11.redhat_00011.1.el7 | 0:9.0.43-11.redhat_00011.1.el7 |
| redhat/jws5-tomcat-native | <0:1.2.26-3.redhat_3.el7 | 0:1.2.26-3.redhat_3.el7 |
| redhat/jws5-tomcat-vault | <0:1.1.8-2.Final_redhat_00003.1.el7 | 0:1.1.8-2.Final_redhat_00003.1.el7 |
| redhat/jws5-ecj | <0:4.12.0-3.redhat_2.2.el8 | 0:4.12.0-3.redhat_2.2.el8 |
| redhat/jws5-tomcat | <0:9.0.43-11.redhat_00011.1.el8 | 0:9.0.43-11.redhat_00011.1.el8 |
| redhat/jws5-tomcat-native | <0:1.2.26-3.redhat_3.el8 | 0:1.2.26-3.redhat_3.el8 |
| redhat/jws5-tomcat-vault | <0:1.1.8-2.Final_redhat_00003.1.el8 | 0:1.1.8-2.Final_redhat_00003.1.el8 |
| redhat/tomcat | <10.0.2 | 10.0.2 |
| redhat/tomcat | <9.0.43 | 9.0.43 |
| redhat/tomcat | <8.5.63 | 8.5.63 |
| redhat/tomcat | <7.0.108 | 7.0.108 |
| ubuntu/tomcat9 | <9.0.16-3ubuntu0.18.04.2 | 9.0.16-3ubuntu0.18.04.2 |
| ubuntu/tomcat9 | <9.0.31-1ubuntu0.2 | 9.0.31-1ubuntu0.2 |
| debian/tomcat9 | 9.0.31-1~deb10u6 9.0.31-1~deb10u12 9.0.43-2~deb11u9 9.0.43-2~deb11u10 9.0.70-2 | |
| Apache Tomcat | >=7.0.0<=7.0.107 | |
| Apache Tomcat | >=8.5.0<=8.5.61 | |
| Apache Tomcat | >=9.0.0<=9.0.41 | |
| Apache Tomcat | =9.0.0-milestone1 | |
| Apache Tomcat | =9.0.0-milestone10 | |
| Apache Tomcat | =9.0.0-milestone11 | |
| Apache Tomcat | =9.0.0-milestone12 | |
| Apache Tomcat | =9.0.0-milestone13 | |
| Apache Tomcat | =9.0.0-milestone14 | |
| Apache Tomcat | =9.0.0-milestone15 | |
| Apache Tomcat | =9.0.0-milestone16 | |
| Apache Tomcat | =9.0.0-milestone17 | |
| Apache Tomcat | =9.0.0-milestone18 | |
| Apache Tomcat | =9.0.0-milestone19 | |
| Apache Tomcat | =9.0.0-milestone2 | |
| Apache Tomcat | =9.0.0-milestone20 | |
| Apache Tomcat | =9.0.0-milestone21 | |
| Apache Tomcat | =9.0.0-milestone22 | |
| Apache Tomcat | =9.0.0-milestone23 | |
| Apache Tomcat | =9.0.0-milestone24 | |
| Apache Tomcat | =9.0.0-milestone25 | |
| Apache Tomcat | =9.0.0-milestone26 | |
| Apache Tomcat | =9.0.0-milestone27 | |
| Apache Tomcat | =9.0.0-milestone3 | |
| Apache Tomcat | =9.0.0-milestone4 | |
| Apache Tomcat | =9.0.0-milestone5 | |
| Apache Tomcat | =9.0.0-milestone6 | |
| Apache Tomcat | =9.0.0-milestone7 | |
| Apache Tomcat | =9.0.0-milestone8 | |
| Apache Tomcat | =9.0.0-milestone9 | |
| Apache Tomcat | =10.0.0 | |
| Apache Tomcat | =10.0.0-milestone1 | |
| Apache Tomcat | =10.0.0-milestone10 | |
| Apache Tomcat | =10.0.0-milestone2 | |
| Apache Tomcat | =10.0.0-milestone3 | |
| Apache Tomcat | =10.0.0-milestone4 | |
| Apache Tomcat | =10.0.0-milestone5 | |
| Apache Tomcat | =10.0.0-milestone6 | |
| Apache Tomcat | =10.0.0-milestone7 | |
| Apache Tomcat | =10.0.0-milestone8 | |
| Apache Tomcat | =10.0.0-milestone9 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Oracle Agile PLM | =9.3.3 | |
| Oracle Agile PLM | =9.3.6 | |
| Oracle Communications Cloud Native Core Policy | =1.14.0 | |
| Oracle Communications Cloud Native Core Security Edge Protection Proxy | =1.6.0 | |
| Oracle Communications Instant Messaging Server | =10.0.1.5.0 | |
| Oracle Database | =12.2.0.1 | |
| Oracle Database | =19c | |
| Oracle Database | =21c | |
| Oracle Graph Server And Client | <21.3.0 | |
| Oracle Instantis Enterprisetrack | =17.1 | |
| Oracle Instantis Enterprisetrack | =17.2 | |
| Oracle Instantis Enterprisetrack | =17.3 | |
| Oracle Managed File Transfer | =12.2.1.3.0 | |
| Oracle Managed File Transfer | =12.2.1.4.0 | |
| Oracle Mysql Enterprise Monitor | <=8.0.23 | |
| Oracle Siebel Ui Framework | <21.9 | |
| Oracle Siebel Ui Framework | =21.9 |
Remedy
Users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized. For more details about the configuration, refer to the Apache Tomcat 9 Configuration Reference https://tomcat.apache.org/tomcat-9.0-doc/config/manager.html.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-25329 https://nvd.nist.gov/vuln/detail/CVE-2021-25329 http://mail-archives.apache.org/mod_mbox/tomcat-announce/202103.mbox/%3C811bba77-e74e-9f9b-62ca-5253a09ba84f%40apache.org%3E https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.2 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.108 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.63 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43
- https://bugzilla.redhat.com/show_bug.cgi?id=1934061
- https://access.redhat.com/errata/RHSA-2022:5532
- https://access.redhat.com/errata/RHSA-2021:2562
- https://access.redhat.com/errata/RHSA-2021:2561
- https://access.redhat.com/errata/RHSA-2021:3425
- https://access.redhat.com/security/cve/cve-2021-25329
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.apache.org%3E
- http://www.openwall.com/lists/oss-security/2021/03/01/2
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cusers.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html
- https://security.netapp.com/advisory/ntap-20210409-0002/
- https://www.debian.org/security/2021/dsa-4891
- https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r732b2ca289dc02df2de820e8775559abd6c207f159e39f559547a085@%3Cusers.tomcat.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://security.gentoo.org/glsa/202208-34
- https://launchpad.net/bugs/cve/CVE-2021-25329
- https://access.redhat.com/security/cve/CVE-2020-9484
- https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4
- https://github.com/apache/tomcat/commit/4785433a226a20df6acbea49296e1ce7e23de453
- https://github.com/apache/tomcat/commit/93f0cc403a9210d469afc2bd9cf03ab3251c6f35
- https://github.com/apache/tomcat/commit/74b105657ffbd1d1de80455f03446c3bbf30d1f5
- http://mail-archives.apache.org/mod_mbox/tomcat-announce/202103.mbox/%3C811bba77-e74e-9f9b-62ca-5253a09ba84f%40apache.org%3E
- https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.2
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43
- https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.63
- https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.108
- https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r732b2ca289dc02df2de820e8775559abd6c207f159e39f559547a085%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cusers.tomcat.apache.org%3E
- https://www.openwall.com/lists/oss-security/2021/03/01/2
- https://security-tracker.debian.org/tracker/CVE-2021-25329
- https://ubuntu.com/security/notices/USN-5360-1
- https://www.cve.org/CVERecord?id=CVE-2021-25329
- https://nvd.nist.gov/vuln/detail/CVE-2021-25329
- https://ubuntu.com/security/CVE-2021-25329
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-25329?
CVE-2021-25329 is a vulnerability in Apache Tomcat that allows remote attackers to execute arbitrary code or cause a denial of service.
How severe is CVE-2021-25329?
CVE-2021-25329 has a high severity rating with a CVSS score of 7.0.
Which versions of Apache Tomcat are affected by CVE-2021-25329?
CVE-2021-25329 affects Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61, and 7.0.0 to 7.0.107.
How can I fix CVE-2021-25329?
To fix CVE-2021-25329, you should upgrade Apache Tomcat to version 10.0.2, 9.0.43, 8.5.63, or 7.0.108, depending on the affected version.
Where can I find more information about CVE-2021-25329?
You can find more information about CVE-2021-25329 at the following references: [Reference 1](https://access.redhat.com/security/cve/CVE-2020-9484), [Reference 2](https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4), [Reference 3](https://github.com/apache/tomcat/commit/4785433a226a20df6acbea49296e1ce7e23de453).
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-25329
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/description
- agent/event
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/references
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- package-manager/ubuntu
- package-manager/debian
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/7.0.0
- version/apache tomcat/7.0.107
- version/apache tomcat/8.5.0
- version/apache tomcat/8.5.61
- version/apache tomcat/9.0.0
- version/apache tomcat/9.0.41
- version/apache tomcat/9.0.0-milestone1
- version/apache tomcat/9.0.0-milestone10
- version/apache tomcat/9.0.0-milestone11
- version/apache tomcat/9.0.0-milestone12
- version/apache tomcat/9.0.0-milestone13
- version/apache tomcat/9.0.0-milestone14
- version/apache tomcat/9.0.0-milestone15
- version/apache tomcat/9.0.0-milestone16
- version/apache tomcat/9.0.0-milestone17
- version/apache tomcat/9.0.0-milestone18
- version/apache tomcat/9.0.0-milestone19
- version/apache tomcat/9.0.0-milestone2
- version/apache tomcat/9.0.0-milestone20
- version/apache tomcat/9.0.0-milestone21
- version/apache tomcat/9.0.0-milestone22
- version/apache tomcat/9.0.0-milestone23
- version/apache tomcat/9.0.0-milestone24
- version/apache tomcat/9.0.0-milestone25
- version/apache tomcat/9.0.0-milestone26
- version/apache tomcat/9.0.0-milestone27
- version/apache tomcat/9.0.0-milestone3
- version/apache tomcat/9.0.0-milestone4
- version/apache tomcat/9.0.0-milestone5
- version/apache tomcat/9.0.0-milestone6
- version/apache tomcat/9.0.0-milestone7
- version/apache tomcat/9.0.0-milestone8
- version/apache tomcat/9.0.0-milestone9
- version/apache tomcat/10.0.0
- version/apache tomcat/10.0.0-milestone1
- version/apache tomcat/10.0.0-milestone10
- version/apache tomcat/10.0.0-milestone2
- version/apache tomcat/10.0.0-milestone3
- version/apache tomcat/10.0.0-milestone4
- version/apache tomcat/10.0.0-milestone5
- version/apache tomcat/10.0.0-milestone6
- version/apache tomcat/10.0.0-milestone7
- version/apache tomcat/10.0.0-milestone8
- version/apache tomcat/10.0.0-milestone9
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/oracle
- canonical/oracle agile plm
- version/oracle agile plm/9.3.3
- version/oracle agile plm/9.3.6
- canonical/oracle communications cloud native core policy
- version/oracle communications cloud native core policy/1.14.0
- canonical/oracle communications cloud native core security edge protection proxy
- version/oracle communications cloud native core security edge protection proxy/1.6.0
- canonical/oracle communications instant messaging server
- version/oracle communications instant messaging server/10.0.1.5.0
- canonical/oracle database
- version/oracle database/12.2.0.1
- version/oracle database/19c
- version/oracle database/21c
- canonical/oracle graph server and client
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.2
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle managed file transfer
- version/oracle managed file transfer/12.2.1.3.0
- version/oracle managed file transfer/12.2.1.4.0
- canonical/oracle mysql enterprise monitor
- version/oracle mysql enterprise monitor/8.0.23
- canonical/oracle siebel ui framework
- version/oracle siebel ui framework/21.9