Tag :
Cyber Security

Description

Apache Tomcat Introduction
Tomcat is a core project of Jakarta on Apache Software Foundation. It is developed by Apache, Sun and other individuals and companies. Thanks to Sun's participation and support, the latest Servlet and JSP specifications are always reflected in Tomcat, and Tomcat 5 supports the latest Servlet 2.4 and JSP 2.0 standard. Tomcat is a free open source web application. It is also a lightweight application server. The application is widely used in small and medium-sized systems and concurrent access users, and it is the first choice for developing and debugging JSP programs.

Summary
On May 20, 2020, Apache Tomcat officially released a security bulletin that disclosed a vulnerability causing remote code execution through cluster synchronization sessions. When the Tomcat server uses its own session synchronization, an insecure configuration (without using EncryptInterceptor) leads to a deserialization vulnerability. Attackers can use tomcat's own session synchronization through a specially crafted data packet and exploit this vulnerability to launch remote code execution attack.

Analysis
The tomcat server loads data in the org.apache.catalina.tribes.transport.nio.NioReplicationTask.run () method.

In the drainChannel () method, ClusterData is encapsulated into a ChannelMessage type, and in the subsequent process, the messageDataReceived () method is called in turn.

Finally, we enter the GroupChannel.messageReceived () method.

And we call the XByteBuffer.deserialize () method in the messageReceived () method to perform the deserialization and execute the malicious command in the passed serialized data.

Above all, the vulnerability exploitation ends.

Reproduction
We build Tomcat 8.0.5 + jdk7u210 vulnerability environment, configure session synchronization, the configuration method is as follows:

Add the following configuration in the conf/server.xml configuration file,

We use JDK7u21 's Java runtime environment to start tomcat. The malicious serialized data is transferred to the server through the attack script, and the vulnerability is exploited are as follows:

 

Impacts
Affected Apache Tomcat version:

Apache Software Foundation Tomcat 7.x < 7.0.104
Apache Software Foundation Tomcat 8.x < 8.5.55
Apache Software Foundation Tomcat 9.x < 9.0.35
Apache Software Foundation Tomcat 10.x < 10.0.0-M5

 

Timeline
May 20, 2020 Apache Tomcat officially released a security bulletin that disclosed a vulnerability that caused remote code execution through cluster synchronization session.
May 21, 2020 Sangfor FarSight Labs reproduced this vulnerability successfully, then released alerts and solutions.

Reference
[1].https://seclists.org/oss-sec/2020/q2/136
[2].https://github.com/threedr3am/tomcat-cluster-session-sync-exp

 

Solution

Remediation Solution
The latest official version (Apache Software Foundation Tomcat 7.0.104, Apache Software Foundation Tomcat 8.5.55, Apache Software Foundation Tomcat 9.0.35, Apache Software Foundation Tomcat 10.0.0-M5) has fixed this vulnerability. Please visit the following link to download the latest version:

https://tomcat.apache.org/

Temporary Solution
Users can configure PersistenceManager for sessionAttributeValueClassNameFilter to ensure that only the attributes provided by the application are serialized and deserialized.

Sangfor Solution
Sangfor Host Security has updated its detection capability once the vulnerability broke out. Users can upgrade to quickly detect whether the network is affected by this high risk and avoid being used by attackers. Offline users are required to download offline update package for detection capability. Online users can automatically obtain detection capabilities.

For Sangfor NGAF customers, keep NGAF security protection rules up to date.

Sangfor Cyber Command is capable of detecting attacks exploiting this vulnerability and alerting users. Users can correlate Cyber Command to Sangfor NGAF to block attacker IP address.
 

Sangfor SOC makes sure that Sangfor security specialists are available 24/7 to you for any security issue. Sangfor security experts scan the customer's network environment in the first place to ensure that the customer's host is free from this vulnerability. For users with vulnerabilities, we reviewed and updated device policies to ensure protection capability against this vulnerability.

Listen To This Post

Search

Keyword maximum 256 character

Get in Touch

Get in Touch with Sangfor Team for Business Inquiry

Related Articles

Cyber Security

The AT&T Data Breach: Over 73 Million Customer Data Exposed

Date : 15 Apr 2024
Read Now
Cyber Security

What Are the Top 5 Benefits of SD-WAN?

Date : 29 Mar 2024
Read Now
Cyber Security

World Backup Day 2024: Save Digital Memories

Date : 29 Mar 2024
Read Now

See Other Product

Cyber Command - NDR Platform
Endpoint Secure
Internet Access Gateway (IAG)
Sangfor Network Secure - Next Generation Firewall
Platform-X
Sangfor Access Secure

Meet the Author

sangfor building image

Sangfor Technologies

Sangfor Technologies is a leading vendor of Cyber Security and Cloud Computing solutions. The majority of the blogs that you are seeing here are written by professionals working at Sangfor. We have a team of content writers, product managers and marketing experts who are taking care of writing articles on various topics that are relevant to our audience. Our team ensures that the articles published are factually correct and helpful to our customers and partners to know more about the recent trends on Cyber Security and Cloud, and how it can help their organizations.

  • facebook
  • twitter
  • linkedin
  • youtube
  • instagram
See Author's Detail