* The attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service. * The PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker-provided object to be deserialized. Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets.
* The server is configured to use the PersistenceManager with a FileStore. * An attacker is able to control the contents and name of a file on the server. An attacker can exploit the flaw if all of the following are true:
APACHE TOMCAT 9.0 27 EXPLOIT INSTALL
Proof of Concept: Install a Java Runtime Environment (JRE) Download a vulnerable version of Tomcat and extract the contents Modify line 19 of the conf\context.xml. A use-after-free vulnerability introduced in glibc upstream version 2.14 was found in the way the tilde expansion was carried out. A file (usually '.shtml') with the 'printenv' SSI directive must exist within the web application. Note: Versions mentioned in the description apply to the upstream glibc package. A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Introduced through : tomcat9.0.27 glibc/multiarch-support2.24-11+deb9u4.
0 kommentar(er)
