==================================================================== CERT-Renater Note d'Information No. 2019/VULN423 _____________________________________________________________________ DATE : 20/12/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Tomcat versions prior to 9.0.30, 8.5.50, 7.0.99. ===================================================================== http://mail-archives.apache.org/mod_mbox/www-announce/201912.mbox/%3c3f42d82c-d9e9-8893-9820-df4e420e5c4e@apache.org%3e http://mail-archives.apache.org/mod_mbox/www-announce/201912.mbox/%3c21b7a375-7297-581b-1f8e-06622d36775b@apache.org%3e _____________________________________________________________________ CVE-2019-12418 Local Privilege Escalation Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.28 Apache Tomcat 8.5.0 to 8.5.47 Apache Tomcat 7.0.0 to 7.0.97 Description: When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. The JMX Remote Lifecycle Listener will be deprecated in future Tomcat releases, will be removed for Tomcat 10 and may be removed from all Tomcat releases some time after 2020-12-31. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely. Mitigation: Users of affected versions should apply one of the following mitigations: - Disable Tomcat's JmxRemoteLifecycleListener and use the built-in remote JMX facilities provided by the JVM - Upgrade to Apache Tomcat 9.0.29 or later - Upgrade to Apache Tomcat 8.5.49 or later - Upgrade to Apache Tomcat 7.0.99 or later Note: The fix was included in versions 7.0.98 and 8.5.48 but those versions were not released. Credit: An Trinh of Viettel Cyber Security References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] https://i.blackhat.com/eu-19/Wednesday/eu-19-An-Far-Sides-Of-Java-Remote-Protocols.pdf [5] https://nvd.nist.gov/vuln/detail/CVE-2019-2684 _____________________________________________________________________ CVE-2019-17563 Session fixation Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.29 Apache Tomcat 8.5.0 to 8.5.49 Apache Tomcat 7.0.0 to 7.0.98 Description: When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. Mitigation: - Upgrade to Apache Tomcat 9.0.30 or later - Upgrade to Apache Tomcat 8.5.50 or later - Upgrade to Apache Tomcat 7.0.99 or later Credit: William Marlow (IBM). References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================