Dear Community,
we are using Sonarqube 6.7.7.38951 with ./lib/server/tomcat-embed-core-8.5.38.jar
and Sonarqube 7.9.2.30863 with ./lib/common/tomcat-embed-core-8.5.38.jar
.
We wanted to make sure that these installations are not affected by CVE-2020-9484 which is described as:
Description
Apache Tomcat contains a flaw in the PersistenceManager that is triggered as the contents and name of a file may be insecurely deserialized. With a specially crafted request, an authenticated remote attacker can potentially execute arbitrary code.
This vulnerability is only present if the PersistenceManager is configured to be used with a file store and with sessionAttributeValueClassNameFilter=“null”. Furthermore the attacker must know the relative file path from the storage location used by FileStore.
The Apache Software Foundation -> Apache Tomcat -> 7.0.104 The Apache Software Foundation -> Apache Tomcat -> 8.5.55 The Apache Software Foundation -> Apache Tomcat -> 9.0.35 The Apache Software Foundation -> Apache Tomcat -> 10.0.0.M5
Reference
https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469@<users.tomcat.apache.org>
https://access.redhat.com/security/cve/cve-2020-9484
CVE-2020-9484
However, I could not find anything in the Sonarqube configuration in regards to the PersistenceManager
being in use or not.
There is also nothing regarding this CVE in Sonarqubes issue tracker at https://jira.sonarsource.com/projects/SONAR/issues/
Thanks in advance!
Florian from Audi Business Innovation.