CVE-2021-25329 Overview
CVE-2021-25329 represents an incomplete fix for the previously disclosed CVE-2020-9484, which affects Apache Tomcat's session persistence mechanism. This vulnerability allows attackers with local access to potentially execute arbitrary code through insecure deserialization when specific, edge-case configurations are in use. While the initial patch addressed the primary attack vector, certain configuration scenarios remained vulnerable to the same deserialization attack.
The vulnerability stems from improper handling of serialized session data when using file-based session persistence with the PersistentManager component. An attacker who can control the contents of a session file and knows or can guess the path to that file could trigger remote code execution during the deserialization process.
Critical Impact
Local attackers can potentially achieve remote code execution through insecure deserialization in Apache Tomcat's session persistence mechanism when specific edge-case configurations are used.
Affected Products
- Apache Tomcat 10.0.0-M1 to 10.0.0
- Apache Tomcat 9.0.0.M1 to 9.0.41
- Apache Tomcat 8.5.0 to 8.5.61
- Apache Tomcat 7.0.0 to 7.0.107
- Debian Linux 9.0 and 10.0
- Oracle Agile PLM 9.3.3 and 9.3.6
- Oracle Communications Cloud Native Core Policy 1.14.0
- Oracle Communications Cloud Native Core Security Edge Protection Proxy 1.6.0
- Oracle Database Enterprise Edition (12.2.0.1, 19c, 21c)
- Oracle MySQL Enterprise Monitor
- Oracle Managed File Transfer
- Oracle Siebel UI Framework
Discovery Timeline
- March 1, 2021 - CVE-2021-25329 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-25329
Vulnerability Analysis
This vulnerability is an insecure deserialization issue that exists due to an incomplete patch for CVE-2020-9484. The root cause involves Apache Tomcat's PersistentManager session storage mechanism, which handles serialization and deserialization of HTTP session objects for persistence across server restarts or session failover scenarios.
For successful exploitation, several prerequisites must be met simultaneously, making this a highly specific edge-case vulnerability. The attacker requires local access to the system and the ability to place a maliciously crafted file in a location accessible by the Tomcat process. Additionally, the Tomcat instance must be configured to use PersistentManager with a FileStore, and the attacker must be able to control or predict the session filename.
The deserialization process in Java can instantiate arbitrary objects if a malicious serialized object stream is provided. When combined with commonly available "gadget chains" from libraries present in the classpath, this can lead to arbitrary code execution with the privileges of the Tomcat process.
Root Cause
The incomplete fix for CVE-2020-9484 failed to address all code paths where untrusted data could be deserialized. The PersistentManager component uses Java's ObjectInputStream to deserialize session data from disk storage. While the original patch attempted to restrict the classes that could be deserialized, certain configuration edge cases bypassed these restrictions.
The vulnerability exists because the session filename path validation was insufficient, allowing an attacker who could write to specific filesystem locations to inject malicious serialized Java objects that would be processed during session restoration.
Attack Vector
Exploitation requires local access to the target system and occurs through the following general process:
- The attacker crafts a malicious serialized Java object containing a gadget chain that triggers code execution upon deserialization
- The attacker places this malicious file in a location accessible to the Tomcat process, typically requiring write access to the session storage directory or a predictable path
- When Tomcat attempts to restore a session and processes the malicious file, the ObjectInputStream.readObject() method triggers the gadget chain
- The malicious code executes with the privileges of the Tomcat server process
The attack complexity is high due to the specific configuration requirements and the need for local filesystem access. The vulnerability requires the PersistentManager to be configured with a FileStore, which is not a default configuration, making real-world exploitation scenarios relatively uncommon.
Detection Methods for CVE-2021-25329
Indicators of Compromise
- Unexpected or malformed .session files appearing in Tomcat's session storage directory
- Unusual Java process activity or child processes spawned by the Tomcat service
- Evidence of file writes to session storage directories from non-Tomcat processes
- Anomalous deserialization errors in Tomcat catalina logs
Detection Strategies
- Monitor filesystem activity in Tomcat session storage directories for unauthorized file creation or modification
- Implement runtime application self-protection (RASP) to detect and block suspicious deserialization attempts
- Review Tomcat configurations for use of PersistentManager with FileStore and assess necessity
- Deploy endpoint detection solutions capable of identifying Java deserialization attack patterns
Monitoring Recommendations
- Enable detailed logging for the org.apache.catalina.session package to capture session persistence operations
- Configure file integrity monitoring on session storage directories
- Monitor for unusual network connections or process execution originating from the Tomcat Java process
- Set up alerting for deserialization-related exceptions in application logs
How to Mitigate CVE-2021-25329
Immediate Actions Required
- Upgrade Apache Tomcat to a patched version: 10.0.2+, 9.0.42+, 8.5.62+, or 7.0.108+
- Review context.xml and server.xml configurations to identify use of PersistentManager with FileStore
- If PersistentManager is not required, switch to the default in-memory session management
- Restrict filesystem permissions on session storage directories to prevent unauthorized writes
Patch Information
Apache has released patched versions that address this incomplete fix. Organizations should upgrade to the following minimum versions:
- Apache Tomcat 10.0.2 or later
- Apache Tomcat 9.0.42 or later
- Apache Tomcat 8.5.62 or later
- Apache Tomcat 7.0.108 or later
Patches are available through the Apache Tomcat Announcement Thread. Oracle products incorporating vulnerable Tomcat versions should be updated according to the relevant Oracle Critical Patch Updates. Debian users should apply updates per the Debian Security Advisory DSA-4891.
Workarounds
- Disable PersistentManager session storage if not required for application functionality
- Configure strict directory permissions (700) on session storage paths, ensuring only the Tomcat user has access
- Implement network segmentation to limit local access to Tomcat servers
- Use application-level session storage alternatives such as database or Redis-backed session stores
# Configuration example - Disable FileStore PersistentManager
# In context.xml, remove or comment out PersistentManager configuration:
# <Manager className="org.apache.catalina.session.PersistentManager">
# <Store className="org.apache.catalina.session.FileStore"/>
# </Manager>
# Secure session directory permissions (if PersistentManager must be used)
chmod 700 /path/to/tomcat/work/Catalina/localhost/sessions
chown tomcat:tomcat /path/to/tomcat/work/Catalina/localhost/sessions
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
