Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Apache Tomcat: Remote code execution — GLSA 202006-21

A vulnerability has been discovered in Apache Tomcat which could result in the arbitrary execution of code.

Affected packages

Package www-servers/tomcat on all architectures
Affected versions < 7.0.104
< 8.5.55
Unaffected versions >= 7.0.104
>= 8.5.55

Background

Apache Tomcat is a Servlet-3.0/JSP-2.2 Container.

Description

Apache Tomcat improperly handles deserialization of files under specific circumstances.

Impact

A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition.

Workaround

There is no known workaround at this time.

Resolution

All Apache Tomcat 7.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-servers/tomcat-7.0.104"

All Apache Tomcat 8.x users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-servers/tomcat-8.5.55"

References

Release date
June 15, 2020

Latest revision
June 15, 2020: 1

Severity
normal

Exploitable
remote

Bugzilla entries