Description

Apache Tomcat Introduction
Tomcat is a core project of Jakarta on Apache Software Foundation. It is developed by Apache, Sun and other individuals and companies. Thanks to Sun's participation and support, the latest Servlet and JSP specifications are always reflected in Tomcat, and Tomcat 5 supports the latest Servlet 2.4 and JSP 2.0 standard. Tomcat is a free open source web application. It is also a lightweight application server. The application is widely used in small and medium-sized systems and concurrent access users, and it is the first choice for developing and debugging JSP programs.

Summary
On May 20, 2020, Apache Tomcat officially released a security bulletin that disclosed a vulnerability causing remote code execution through cluster synchronization sessions. When the Tomcat server uses its own session synchronization, an insecure configuration (without using EncryptInterceptor) leads to a deserialization vulnerability. Attackers can use tomcat's own session synchronization through a specially crafted data packet and exploit this vulnerability to launch remote code execution attack.

Analysis
The tomcat server loads data in the org.apache.catalina.tribes.transport.nio.NioReplicationTask.run () method.

In the drainChannel () method, ClusterData is encapsulated into a ChannelMessage type, and in the subsequent process, the messageDataReceived () method is called in turn.

Finally, we enter the GroupChannel.messageReceived () method.

And we call the XByteBuffer.deserialize () method in the messageReceived () method to perform the deserialization and execute the malicious command in the passed serialized data.

Above all, the vulnerability exploitation ends.

Reproduction
We build Tomcat 8.0.5 + jdk7u210 vulnerability environment, configure session synchronization, the configuration method is as follows:

Add the following configuration in the conf/server.xml configuration file,

We use JDK7u21 's Java runtime environment to start tomcat. The malicious serialized data is transferred to the server through the attack script, and the vulnerability is exploited are as follows:

 

Impacts
Affected Apache Tomcat version:

Apache Software Foundation Tomcat 7.x < 7.0.104
Apache Software Foundation Tomcat 8.x < 8.5.55
Apache Software Foundation Tomcat 9.x < 9.0.35
Apache Software Foundation Tomcat 10.x < 10.0.0-M5

 

Timeline
May 20, 2020 Apache Tomcat officially released a security bulletin that disclosed a vulnerability that caused remote code execution through cluster synchronization session.
May 21, 2020 Sangfor FarSight Labs reproduced this vulnerability successfully, then released alerts and solutions.

Reference
[1].https://seclists.org/oss-sec/2020/q2/136
[2].https://github.com/threedr3am/tomcat-cluster-session-sync-exp

 

Solution

Remediation Solution
The latest official version (Apache Software Foundation Tomcat 7.0.104, Apache Software Foundation Tomcat 8.5.55, Apache Software Foundation Tomcat 9.0.35, Apache Software Foundation Tomcat 10.0.0-M5) has fixed this vulnerability. Please visit the following link to download the latest version:

https://tomcat.apache.org/

Temporary Solution
Users can configure PersistenceManager for sessionAttributeValueClassNameFilter to ensure that only the attributes provided by the application are serialized and deserialized.

Sangfor Solution
Sangfor Host Security has updated its detection capability once the vulnerability broke out. Users can upgrade to quickly detect whether the network is affected by this high risk and avoid being used by attackers. Offline users are required to download offline update package for detection capability. Online users can automatically obtain detection capabilities.

For Sangfor NGAF customers, keep NGAF security protection rules up to date.

Sangfor Cyber Command is capable of detecting attacks exploiting this vulnerability and alerting users. Users can correlate Cyber Command to Sangfor NGAF to block attacker IP address.
 

Sangfor SOC makes sure that Sangfor security specialists are available 24/7 to you for any security issue. Sangfor security experts scan the customer's network environment in the first place to ensure that the customer's host is free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.

Listen To This Post

Search

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

Cyber Security

Retail Cybersecurity–Risks and Data Breaches in E-commerce

Date : 21 Nov 2024
Read Now
Cyber Security

UN and WHO Warn of Ransomware Healthcare Crisis Becoming a Global Threat

Date : 18 Nov 2024
Read Now
Cyber Security

Election Security: Cyber Fraud Through AI, Deep Fakes, and Social Engineering

Date : 13 Nov 2024
Read Now

See Other Product

Platform-X
Sangfor Access Secure
Sangfor SSL VPN
Best Darktrace Cyber Security Competitors and Alternatives in 2024
Sangfor Omni-Command
Replace your Enterprise NGAV with Sangfor Endpoint Secure