Submit Feedback
Legacy Knowledge Base
Published Jul. 2, 2025

Apache Tomcat Security Advisory: CVE-2020-9484 (Remote Code Execution via session persistence)

Written By

Jose Jimenez

How To articles are not official guidelines or officially supported documentation. They are community-contributed content and may not always reflect the latest updates to Liferay DXP. We welcome your feedback to improve How To articles!

While we make every effort to ensure this Knowledge Base is accurate, it may not always reflect the most recent updates or official guidelines.We appreciate your understanding and encourage you to reach out with any feedback or concerns.

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

General Information

Apache Tomcat has recently released new versions to fix a vulnerability tracked as CVE-2020-9484.

As per the information provided by Apache Tomcat:

"If:

  • an attacker is able to control the contents and name of a file on the server; and
  • the server is configured to use the PersistenceManager with a FileStore; and
  • the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and
  • the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over;

then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.

Note: All of conditions above must be true for the attack to succeed."

Affected Software

  • Apache Tomcat 10.0.0-M1 to 10.0.0-M4 (currently not supported by Liferay DXP)
  • Apache Tomcat 9.0.0.M1 to 9.0.34
  • Apache Tomcat 8.5.0 to 8.5.54
  • Apache Tomcat 7.0.0 to 7.0.103

Resolution

Liferay recommends customers using any of the affected versions to read the referenced articles below and apply one of the following mitigations: 

  • Upgrade to Apache Tomcat 9.0.35 or later. 
  • Upgrade to Apache Tomcat 8.5.55 or later.
  • Upgrade to Apache Tomcat 7.0.104 or later.

Liferay Service Pack and Fix Pack bundles contains an increase in Tomcat micro version in order to assist customers in this migration.

Liferay DXP 7.3

  • Liferay DXP 7.3 GA1 is bundled with Tomcat 9.0.37

Liferay DXP 7.2

  • The Liferay DXP 7.2 Fix Pack 9 bundle includes Tomcat 9.0.37
  • Liferay DXP 7.2 Service Pack 4 is bundled with Tomcat 9.0.40

Liferay DXP 7.1

  • Liferay DXP 7.1 Service Pack 5 is bundled with Tomcat 9.0.37
    • Service Pack 5 includes fix pack 20

Liferay DXP 7.0

  • The Liferay DXP 7.0 Fix Pack 97 bundle includes Tomcat 8.5.57
  • Liferay DXP 7.0 Service Pack 16 is bundled with Tomcat 8.5.57

Alternative Mitigation

"As an alternative to upgrading the Tomcat version, users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only the application provided attributes are serialized and deserialized."

Workaround

Disable the Session Persistence for all the web application contexts by uncommenting the appropriate lines:

<!-- Uncomment this to disable session persistence across Tomcat restarts -->
<!--
<Manager pathname="" />
-->

Files to modify:

  • (default context) TOMCAT_HOME/conf/context.xml
  • (ROOT context) TOMCAT_HOME/conf/Catalina/localhost/ROOT.xml
  • (Others) TOMCAT_HOME/conf/Catalina/localhost/*.xml

Additional Information

Liferay is currently evaluating this vulnerability. The usual mitigation action is to update the version of Tomcat used in our development and maintenance branches so Future Service Pack releases for Liferay DXP can be bundled with a newer Tomcat version where this vulnerability is already fixed.

References and Recommended Articles

Did this article resolve your issue ?
Legacy Knowledge Base
Did this article resolve your issue ?