diff --git a/SOURCES/tomcat-7.0.76-CVE-2020-9484.patch b/SOURCES/tomcat-7.0.76-CVE-2020-9484.patch
new file mode 100644
index 0000000..fc13d53
--- /dev/null
+++ b/SOURCES/tomcat-7.0.76-CVE-2020-9484.patch
@@ -0,0 +1,76 @@
+diff -up ./java/org/apache/catalina/session/FileStore.java.orig ./java/org/apache/catalina/session/FileStore.java
+--- ./java/org/apache/catalina/session/FileStore.java.orig 2017-03-09 08:51:39.000000000 -0500
++++ ./java/org/apache/catalina/session/FileStore.java 2020-05-21 16:30:46.328792003 -0400
+@@ -32,6 +32,8 @@ import org.apache.catalina.Context;
+ import org.apache.catalina.Loader;
+ import org.apache.catalina.Session;
+ import org.apache.juli.logging.Log;
++import org.apache.juli.logging.LogFactory;
++import org.apache.tomcat.util.res.StringManager;
+
+ /**
+ * Concrete implementation of the Store interface that utilizes
+@@ -42,6 +44,10 @@ import org.apache.juli.logging.Log;
+ */
+ public final class FileStore extends StoreBase {
+
++ private static final Log log = LogFactory.getLog(FileStore.class);
++ private static final StringManager sm = StringManager.getManager(FileStore.class);
++
++
+ // ----------------------------------------------------- Constants
+
+ /**
+@@ -389,11 +395,20 @@ public final class FileStore extends Sto
+ * used in the file naming.
+ */
+ private File file(String id) throws IOException {
+- if (this.directory == null) {
++ File storageDir = directory();
++ if (storageDir == null) {
+ return null;
+ }
++
+ String filename = id + FILE_EXT;
+- File file = new File(directory(), filename);
++ File file = new File(storageDir, filename);
++
++ // Check the file is within the storage directory
++ if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
++ log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
++ return null;
++ }
++
+ return file;
+ }
+ }
+diff -up ./java/org/apache/catalina/session/LocalStrings.properties.orig ./java/org/apache/catalina/session/LocalStrings.properties
+--- ./java/org/apache/catalina/session/LocalStrings.properties.orig 2017-03-09 08:51:39.000000000 -0500
++++ ./java/org/apache/catalina/session/LocalStrings.properties 2020-05-21 16:30:46.329792001 -0400
+@@ -20,6 +20,7 @@ fileStore.loading=Loading Session {0} fr
+ fileStore.removing=Removing Session {0} at file {1}
+ fileStore.deleteFailed=Unable to delete file [{0}] which is preventing the creation of the session storage location
+ fileStore.createFailed=Unable to create directory [{0}] for the storage of session data
++fileStore.invalid=Invalid persistence file [{0}] for session ID [{1}]
+ JDBCStore.close=Exception closing database connection {0}
+ JDBCStore.saving=Saving Session {0} to database {1}
+ JDBCStore.loading=Loading Session {0} from database {1}
+diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml
+--- ./webapps/docs/changelog.xml.orig 2020-05-21 16:30:46.338791987 -0400
++++ ./webapps/docs/changelog.xml 2020-05-21 16:31:22.209735361 -0400
+@@ -57,6 +57,15 @@
+ They eventually become mixed with the numbered issues. (I.e., numbered
+ issues do not "pop up" wrt. others).
+ -->
++
++
++
++
++ Improve validation of storage location when using FileStore. (markt)
++
++
++
++
+
+
+
diff --git a/SPECS/tomcat.spec b/SPECS/tomcat.spec
index 0581db7..21ea668 100644
--- a/SPECS/tomcat.spec
+++ b/SPECS/tomcat.spec
@@ -54,7 +54,7 @@
Name: tomcat
Epoch: 0
Version: %{major_version}.%{minor_version}.%{micro_version}
-Release: 11%{?dist}
+Release: 12%{?dist}
Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
Group: System Environment/Daemons
@@ -102,6 +102,7 @@ Patch14: %{name}-7.0.76-CVE-2018-8034.patch
Patch15: %{name}-7.0.76-rhbz-1588703.patch
Patch16: %{name}-7.0.76-rhbz-1455483.patch
Patch17: %{name}-7.0.76-CVE-2020-1938.patch
+Patch18: %{name}-7.0.76-CVE-2020-9484.patch
BuildArch: noarch
@@ -264,6 +265,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
%patch15 -p0
%patch16 -p0
%patch17 -p0
+%patch18 -p0
%{__ln_s} $(build-classpath jakarta-taglibs-core) webapps/examples/WEB-INF/lib/jstl.jar
%{__ln_s} $(build-classpath jakarta-taglibs-standard) webapps/examples/WEB-INF/lib/standard.jar
@@ -708,8 +710,11 @@ fi
%attr(0644,root,root) %{_unitdir}/%{name}-jsvc.service
%changelog
+* Thu May 21 2020 Coty Sutherland 0:7.0.76-12
+- Resolves: CVE-2020-9484 tomcat: Apache Tomcat Remote Code Execution via session persistence
+
* Tue Mar 03 2020 Coty Sutherland 0:7.0.76-11
-- Resolves: rhbz#1806801 CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
+- Resolves: rhbz#1806802 CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
* Tue Sep 03 2019 Coty Sutherland 0:7.0.76-10
- Resolves: rhbz#1748541 Bump tomcat release number