Desktop Central is not vulnerable to RCE (CVE 2020-9484)

Is Desktop Central vulnerable to this CVE?

No, Desktop Central is not vulnerable to CVE-2020-9484 Remote Code Execution (RCE) vulnerability. Read the document fully for further details.

What was the issue?

Remote Code Execution (RCE) vulnerability (CVE-2020-9484) in Apache Tomcat (version below 8.5.55), which originates from persistent session manager, allows unauthenticated attackers to execute arbitrary code.

To take advantage of this vulnerability, an attacker needs to meet all the following conditions:

  1. An attacker has the control over the name of a file and its contents of the contents and name of a file on the server; and
  2. the server is configured to use the PersistenceManager with FileStore; and
  3. the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" or a sufficiently non-restrictive filter to deserialize the untrusted object provided by the attacker; and
  4. the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker triggers remote code execution via deserialization of the file under control.

Why Desktop Central is not vulnerable to this CVE?

As mentioned earlier, CVE-2020-9484 will not affect Desktop Central as PersistenceManager is not used. Additionally, Desktop Central is not vulnerable to Local File Inclusion (LFI) attack.

Future plan for Upgrade

Although the Desktop Central is not vulnerable to this CVE, we'll be upgrading to the latest Apache Tomcat version during our regular third-party components upgrade cycle.