QID 352298
Date Published: 2021-05-19
QID 352298: Amazon Linux Security Update for tomcat7: AL2012-2021-341
Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2021-25329:
The fix for
CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to
CVE-2020-9494. Note that both the previously published prerequisites for
CVE-2020-9484 and the previously published mitigations for
CVE-2020-9484 also apply to this issue.
1934061:
CVE-2021-25329 tomcat: Incomplete fix for
CVE-2020-9484 (RCE via session persistence)
CVE-2020-9484:
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability.
1838332:
CVE-2020-9484 tomcat: deserialization flaw in session persistence storage leading to RCE
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
CVEs related to QID 352298
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| AL2012-2021-341 | Amazon Linux Bare Metal |
docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-updates.html |