I. Overview

Security researchers have disclosed on GitHub that the Apache Tomcat cluster has a deserialization vulnerability, which may cause remote code execution. If the Apache Tomcat cluster uses the session synchronization function but the EncryptInterceptor is not configured for encryption, attackers can construct malicious requests to exploit the deserialization vulnerability to implement remote code execution.

Therefore, we kindly remind Apache Tomcat users to arrange self-check and implement timely security hardening.

Reference link:

https://github.com/threedr3am/tomcat-cluster-session-sync-exp?spm=a2c4g.11174386.n2.4.61b91051FWOWf5

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

This vulnerability can be successfully exploited when a Tomcat cluster meets the following conditions:

a. The session synchronization function of the Tomcat cluster is enabled.

b. The EncryptInterceptor is not configured for encryption.

IV. Vulnerability Handling

Mitigation measures:

1. If a Tomcat cluster enables the session synchronization function, the EncryptInterceptor must be configured to encrypt the communication. Configuration reference:

http://tomcat.apache.org/tomcat-10.0-doc/config/cluster-interceptor.html#org.apache.catalina.tribes.group.interceptors.EncryptInterceptor_Attributes

2. Ensure that the Tomcat cluster is open only to trusted networks to prevent malicious attackers from exploiting this vulnerability.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.