Amazon Linux 2 Security Advisory: ALASTOMCAT8.5-2023-008
Advisory Release Date: 2023-08-21 20:58 Pacific
Advisory Updated Date: 2023-09-25 21:58 Pacific
A deserialization flaw was discovered in Apache Tomcat's use of a FileStore. Under specific circumstances, an attacker can use a specially crafted request to trigger Remote Code Execution through deserialization of the file under their control. The highest threat from the vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-9484)
Affected Packages:
tomcat
Note:
This advisory is applicable to Amazon Linux 2 - Tomcat8.5 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update tomcat to update your system.
noarch:
tomcat-8.5.56-1.amzn2.noarch
tomcat-admin-webapps-8.5.56-1.amzn2.noarch
tomcat-docs-webapp-8.5.56-1.amzn2.noarch
tomcat-javadoc-8.5.56-1.amzn2.noarch
tomcat-jsvc-8.5.56-1.amzn2.noarch
tomcat-jsp-2.3-api-8.5.56-1.amzn2.noarch
tomcat-lib-8.5.56-1.amzn2.noarch
tomcat-servlet-3.1-api-8.5.56-1.amzn2.noarch
tomcat-el-3.0-api-8.5.56-1.amzn2.noarch
tomcat-webapps-8.5.56-1.amzn2.noarch
src:
tomcat-8.5.56-1.amzn2.src