Is Sonarqube affected by CVE-2020-9484?

Dear Community,

we are using Sonarqube 6.7.7.38951 with ./lib/server/tomcat-embed-core-8.5.38.jar and Sonarqube 7.9.2.30863 with ./lib/common/tomcat-embed-core-8.5.38.jar.

We wanted to make sure that these installations are not affected by CVE-2020-9484 which is described as:

Description

Apache Tomcat contains a flaw in the PersistenceManager that is triggered as the contents and name of a file may be insecurely deserialized. With a specially crafted request, an authenticated remote attacker can potentially execute arbitrary code.

This vulnerability is only present if the PersistenceManager is configured to be used with a file store and with sessionAttributeValueClassNameFilter=“null”. Furthermore the attacker must know the relative file path from the storage location used by FileStore.

The Apache Software Foundation -> Apache Tomcat -> 7.0.104 The Apache Software Foundation -> Apache Tomcat -> 8.5.55 The Apache Software Foundation -> Apache Tomcat -> 9.0.35 The Apache Software Foundation -> Apache Tomcat -> 10.0.0.M5

Reference

https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469@<users.tomcat.apache.org>
https://access.redhat.com/security/cve/cve-2020-9484

CVE-2020-9484

However, I could not find anything in the Sonarqube configuration in regards to the PersistenceManager being in use or not.

There is also nothing regarding this CVE in Sonarqubes issue tracker at https://jira.sonarsource.com/projects/SONAR/issues/

Thanks in advance!

Florian from Audi Business Innovation.

Hey @fbuchmeier ,

thank you for bringing this up, i will have a look.
For your information, our disclosure policy calls for another way to report potential vulnerabilities. I’ve “unlisted” the topic for now.

Tobias

1 Like

Hi @fbuchmeier ,

a backend dev just confirmed that we are not using the persistence manager as everything is stateless (when you restart sonarqube your session is just lost). The tomcat default manager is org.apache.catalina.session.StandardManager which is not affected by this cve

thanks again for raising awareness and i hope that you upgrade the 6.7.7.38951 instance soon :sweat_smile:

1 Like

Thanks for the really fast reply this clarifies my question!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.