diff --git a/SOURCES/tomcat-7.0.76-CVE-2020-9484.patch b/SOURCES/tomcat-7.0.76-CVE-2020-9484.patch
new file mode 100644
index 0000000..fc13d53
--- /dev/null
+++ b/SOURCES/tomcat-7.0.76-CVE-2020-9484.patch
@@ -0,0 +1,76 @@
+diff -up ./java/org/apache/catalina/session/FileStore.java.orig ./java/org/apache/catalina/session/FileStore.java
+--- ./java/org/apache/catalina/session/FileStore.java.orig	2017-03-09 08:51:39.000000000 -0500
++++ ./java/org/apache/catalina/session/FileStore.java	2020-05-21 16:30:46.328792003 -0400
+@@ -32,6 +32,8 @@ import org.apache.catalina.Context;
+ import org.apache.catalina.Loader;
+ import org.apache.catalina.Session;
+ import org.apache.juli.logging.Log;
++import org.apache.juli.logging.LogFactory;
++import org.apache.tomcat.util.res.StringManager;
+ 
+ /**
+  * Concrete implementation of the <b>Store</b> interface that utilizes
+@@ -42,6 +44,10 @@ import org.apache.juli.logging.Log;
+  */
+ public final class FileStore extends StoreBase {
+ 
++    private static final Log log = LogFactory.getLog(FileStore.class);
++    private static final StringManager sm = StringManager.getManager(FileStore.class);
++
++
+     // ----------------------------------------------------- Constants
+ 
+     /**
+@@ -389,11 +395,20 @@ public final class FileStore extends Sto
+      *    used in the file naming.
+      */
+     private File file(String id) throws IOException {
+-        if (this.directory == null) {
++        File storageDir = directory();
++        if (storageDir == null) {
+             return null;
+         }
++
+         String filename = id + FILE_EXT;
+-        File file = new File(directory(), filename);
++        File file = new File(storageDir, filename);
++
++        // Check the file is within the storage directory
++        if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
++            log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
++            return null;
++        }
++
+         return file;
+     }
+ }
+diff -up ./java/org/apache/catalina/session/LocalStrings.properties.orig ./java/org/apache/catalina/session/LocalStrings.properties
+--- ./java/org/apache/catalina/session/LocalStrings.properties.orig	2017-03-09 08:51:39.000000000 -0500
++++ ./java/org/apache/catalina/session/LocalStrings.properties	2020-05-21 16:30:46.329792001 -0400
+@@ -20,6 +20,7 @@ fileStore.loading=Loading Session {0} fr
+ fileStore.removing=Removing Session {0} at file {1}
+ fileStore.deleteFailed=Unable to delete file [{0}] which is preventing the creation of the session storage location
+ fileStore.createFailed=Unable to create directory [{0}] for the storage of session data
++fileStore.invalid=Invalid persistence file [{0}] for session ID [{1}]
+ JDBCStore.close=Exception closing database connection {0}
+ JDBCStore.saving=Saving Session {0} to database {1}
+ JDBCStore.loading=Loading Session {0} from database {1}
+diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml
+--- ./webapps/docs/changelog.xml.orig	2020-05-21 16:30:46.338791987 -0400
++++ ./webapps/docs/changelog.xml	2020-05-21 16:31:22.209735361 -0400
+@@ -57,6 +57,15 @@
+   They eventually become mixed with the numbered issues. (I.e., numbered
+   issues do not "pop up" wrt. others).
+ -->
++<section name="Tomcat 7.0.76-12 (csutherl)">
++  <subsection name="Catalina">
++    <changelog>
++      <add>
++        Improve validation of storage location when using FileStore. (markt)
++      </add>
++    </changelog>
++  </subsection>
++</section>
+ <section name="Tomcat 7.0.76-11 (csutherl)">
+   <subsection name="Coyote">
+     <changelog>
diff --git a/SPECS/tomcat.spec b/SPECS/tomcat.spec
index 0581db7..21ea668 100644
--- a/SPECS/tomcat.spec
+++ b/SPECS/tomcat.spec
@@ -54,7 +54,7 @@
 Name:          tomcat
 Epoch:         0
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       11%{?dist}
+Release:       12%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 Group:         System Environment/Daemons
@@ -102,6 +102,7 @@ Patch14: %{name}-7.0.76-CVE-2018-8034.patch
 Patch15: %{name}-7.0.76-rhbz-1588703.patch
 Patch16: %{name}-7.0.76-rhbz-1455483.patch
 Patch17: %{name}-7.0.76-CVE-2020-1938.patch
+Patch18: %{name}-7.0.76-CVE-2020-9484.patch
 
 BuildArch:     noarch
 
@@ -264,6 +265,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch15 -p0
 %patch16 -p0
 %patch17 -p0
+%patch18 -p0
 
 %{__ln_s} $(build-classpath jakarta-taglibs-core) webapps/examples/WEB-INF/lib/jstl.jar
 %{__ln_s} $(build-classpath jakarta-taglibs-standard) webapps/examples/WEB-INF/lib/standard.jar
@@ -708,8 +710,11 @@ fi
 %attr(0644,root,root) %{_unitdir}/%{name}-jsvc.service
 
 %changelog
+* Thu May 21 2020 Coty Sutherland <csutherl@redhat.com> 0:7.0.76-12
+- Resolves: CVE-2020-9484 tomcat: Apache Tomcat Remote Code Execution via session persistence
+
 * Tue Mar 03 2020 Coty Sutherland <csutherl@redhat.com> 0:7.0.76-11
-- Resolves: rhbz#1806801 CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
+- Resolves: rhbz#1806802 CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
 
 * Tue Sep 03 2019 Coty Sutherland <csutherl@redhat.com> 0:7.0.76-10
 - Resolves: rhbz#1748541 Bump tomcat release number