On May 20, 2020, the National Vulnerability Database (NVD) published a new CVE—CVE-2020-9484. The vulnerability associated with CVE-2020-9484 allows any anonymous attacker with internet access to submit a malicious request to a Tomcat Server that has PersistentManager enabled using FileStore. This is not the default setup, but it can be configured by administrators in this way. Red Timmy Security wrote in detail about the vulnerability and exploit.
The great news is that Contrast Protect customers are protected from this vulnerability being exploited.
CVE-2020-9484 as Untrusted Deserialization
The vulnerability is categorized as untrusted deserialization. MITRE defines untrusted deserialization in CWE-502 as, “The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.” In the case of the Tomcat vulnerability, the PersistentManager uses the ObjectInputStream to deserialize and read the session information.