You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/12/18 15:35:48 UTC
svn commit: r1871756 - in /tomcat/site/trunk: docs/security-7.html
docs/security-8.html docs/security-9.html xdocs/security-7.xml
xdocs/security-8.xml xdocs/security-9.xml
Author: markt
Date: Wed Dec 18 15:35:48 2019
New Revision: 1871756
URL: http://svn.apache.org/viewvc?rev=1871756&view=rev
Log:
CVE-2019-12418 and CVE-2019-17563
Modified:
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/docs/security-9.html
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/security-8.xml
tomcat/site/trunk/xdocs/security-9.xml
Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1871756&r1=1871755&r2=1871756&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Wed Dec 18 15:35:48 2019
@@ -214,6 +214,9 @@
<a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.99">Fixed in Apache Tomcat 7.0.99</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_7.0.94">Fixed in Apache Tomcat 7.0.94</a>
</li>
<li>
@@ -400,6 +403,79 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_7.0.99">
+<span class="pull-right">17 December 2019</span> Fixed in Apache Tomcat 7.0.99</h3>
+<div class="text">
+
+
+<p>
+<strong>Low: Session fixation</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563" rel="nofollow">CVE-2019-17563</a>
+</p>
+
+
+<p>When using FORM authentication there was a narrow window where an
+ attacker could perform a session fixation attack. The window was
+ considered too narrow for an exploit to be practical but, erring on the
+ side of caution, this issue has been treated as a security
+ vulnerability.</p>
+
+
+<p>This was fixed with commit
+ <a href="https://github.com/apache/tomcat/commit/ab72a10">ab72a10</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team by William
+ Marlow (IBM) on 19 November 2019. The issue was made public on 18
+ December 2019.</p>
+
+
+<p>Affects: 7.0.0 to 7.0.98</p>
+
+
+<p>
+<i>Note: The issue below was fixed in Apache Tomcat 7.0.98 but the
+ release vote for the 7.0.98 release candidate did not pass. Therefore,
+ although users must download 7.0.99 to obtain a version that includes
+ the fix for this issue, version78.0.98 is not included in the list of
+ affected versions.</i>
+</p>
+
+
+<p>
+<strong>Moderate: Local Privilege Escalation</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418" rel="nofollow">CVE-2019-12418</a>
+</p>
+
+
+<p>When Tomcat is configured with the JMX Remote Lifecycle Listener, a local
+ attacker without access to the Tomcat process or configuration files is
+ able to manipulate the RMI registry to perform a man-in-the-middle attack
+ to capture user names and passwords used to access the JMX interface. The
+ attacker can then use these credentials to access the JMX interface and
+ gain complete control over the Tomcat instance.</p>
+
+<p>The JMX Remote Lifecycle Listener will be deprecated in future Tomcat
+ releases, will be removed for Tomcat 10 and may be removed from all
+ Tomcat releases some time after 31 December 2020.</p>
+
+<p>Users should also be aware of <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2684" rel="nofollow">CVE-2019-2684</a>, a JRE
+ vulnerability that enables this issue to be exploited remotely.</p>
+
+
+<p>This was fixed with commit
+ <a href="https://github.com/apache/tomcat/commit/bef3f40">bef3f40</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team by An Trinh of
+ Viettel Cyber Security on 10 October 2019. The issue was made public on 18
+ December 2019.</p>
+
+
+<p>Affects: 7.0.0 to 7.0.97</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_7.0.94">
<span class="pull-right">12 April 2019</span> Fixed in Apache Tomcat 7.0.94</h3>
<div class="text">
Modified: tomcat/site/trunk/docs/security-8.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1871756&r1=1871755&r2=1871756&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-8.html (original)
+++ tomcat/site/trunk/docs/security-8.html Wed Dec 18 15:35:48 2019
@@ -214,6 +214,12 @@
<a href="#Apache_Tomcat_8.x_vulnerabilities">Apache Tomcat 8.x vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_8.5.50">Fixed in Apache Tomcat 8.5.50</a>
+</li>
+<li>
+<a href="#Fixed_in_Apache_Tomcat_8.5.49">Fixed in Apache Tomcat 8.5.49</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_8.5.41">Fixed in Apache Tomcat 8.5.41</a>
</li>
<li>
@@ -382,6 +388,85 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_8.5.50">
+<span class="pull-right">12 December 2019</span> Fixed in Apache Tomcat 8.5.50</h3>
+<div class="text">
+
+
+<p>
+<strong>Low: Session fixation</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563" rel="nofollow">CVE-2019-17563</a>
+</p>
+
+
+<p>When using FORM authentication there was a narrow window where an
+ attacker could perform a session fixation attack. The window was
+ considered too narrow for an exploit to be practical but, erring on the
+ side of caution, this issue has been treated as a security
+ vulnerability.</p>
+
+
+<p>This was fixed with commit
+ <a href="https://github.com/apache/tomcat/commit/e19a202">e19a202</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team by William
+ Marlow (IBM) on 19 November 2019. The issue was made public on 18
+ December 2019.</p>
+
+
+<p>Affects: 8.5.0 to 8.5.49</p>
+
+
+</div>
+<h3 id="Fixed_in_Apache_Tomcat_8.5.49">
+<span class="pull-right">21 November 2019</span> Fixed in Apache Tomcat 8.5.49</h3>
+<div class="text">
+
+
+<p>
+<i>Note: The issue below was fixed in Apache Tomcat 8.0.48 but the
+ release vote for the 8.0.48 release candidate did not pass. Therefore,
+ although users must download 8.0.49 to obtain a version that includes
+ the fix for this issue, version 8.0.48 is not included in the list of
+ affected versions.</i>
+</p>
+
+
+<p>
+<strong>Moderate: Local Privilege Escalation</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418" rel="nofollow">CVE-2019-12418</a>
+</p>
+
+
+<p>When Tomcat is configured with the JMX Remote Lifecycle Listener, a local
+ attacker without access to the Tomcat process or configuration files is
+ able to manipulate the RMI registry to perform a man-in-the-middle attack
+ to capture user names and passwords used to access the JMX interface. The
+ attacker can then use these credentials to access the JMX interface and
+ gain complete control over the Tomcat instance.</p>
+
+<p>The JMX Remote Lifecycle Listener will be deprecated in future Tomcat
+ releases, will be removed for Tomcat 10 and may be removed from all
+ Tomcat releases some time after 31 December 2020.</p>
+
+<p>Users should also be aware of <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2684" rel="nofollow">CVE-2019-2684</a>, a JRE
+ vulnerability that enables this issue to be exploited remotely.</p>
+
+
+<p>This was fixed with commit
+ <a href="https://github.com/apache/tomcat/commit/a91d7db">a91d7db</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team by An Trinh of
+ Viettel Cyber Security on 10 October 2019. The issue was made public on 18
+ December 2019.</p>
+
+
+<p>Affects: 8.5.0 to 8.5.47</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_8.5.41">
<span class="pull-right">13 May 2019</span> Fixed in Apache Tomcat 8.5.41</h3>
<div class="text">
Modified: tomcat/site/trunk/docs/security-9.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1871756&r1=1871755&r2=1871756&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-9.html (original)
+++ tomcat/site/trunk/docs/security-9.html Wed Dec 18 15:35:48 2019
@@ -214,6 +214,12 @@
<a href="#Apache_Tomcat_9.x_vulnerabilities">Apache Tomcat 9.x vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_9.0.30">Fixed in Apache Tomcat 9.0.30</a>
+</li>
+<li>
+<a href="#Fixed_in_Apache_Tomcat_9.0.29">Fixed in Apache Tomcat 9.0.29</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_9.0.20">Fixed in Apache Tomcat 9.0.20</a>
</li>
<li>
@@ -322,6 +328,76 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_9.0.30">
+<span class="pull-right">12 December 2019</span> Fixed in Apache Tomcat 9.0.30</h3>
+<div class="text">
+
+
+<p>
+<strong>Low: Session fixation</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563" rel="nofollow">CVE-2019-17563</a>
+</p>
+
+
+<p>When using FORM authentication there was a narrow window where an
+ attacker could perform a session fixation attack. The window was
+ considered too narrow for an exploit to be practical but, erring on the
+ side of caution, this issue has been treated as a security
+ vulnerability.</p>
+
+
+<p>This was fixed with commit
+ <a href="https://github.com/apache/tomcat/commit/1ecba14">1ecba14</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team by William
+ Marlow (IBM) on 19 November 2019. The issue was made public on 18
+ December 2019.</p>
+
+
+<p>Affects: 9.0.0.M1 to 9.0.29</p>
+
+
+</div>
+<h3 id="Fixed_in_Apache_Tomcat_9.0.29">
+<span class="pull-right">21 November 2019</span> Fixed in Apache Tomcat 9.0.29</h3>
+<div class="text">
+
+
+<p>
+<strong>Moderate: Local Privilege Escalation</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418" rel="nofollow">CVE-2019-12418</a>
+</p>
+
+
+<p>When Tomcat is configured with the JMX Remote Lifecycle Listener, a local
+ attacker without access to the Tomcat process or configuration files is
+ able to manipulate the RMI registry to perform a man-in-the-middle attack
+ to capture user names and passwords used to access the JMX interface. The
+ attacker can then use these credentials to access the JMX interface and
+ gain complete control over the Tomcat instance.</p>
+
+<p>The JMX Remote Lifecycle Listener will be deprecated in future Tomcat
+ releases, will be removed for Tomcat 10 and may be removed from all
+ Tomcat releases some time after 31 December 2020.</p>
+
+<p>Users should also be aware of <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2684" rel="nofollow">CVE-2019-2684</a>, a JRE
+ vulnerability that enables this issue to be exploited remotely.</p>
+
+
+<p>This was fixed with commit
+ <a href="https://github.com/apache/tomcat/commit/1fc9f58">1fc9f58</a>.</p>
+
+
+<p>This issue was reported to the Apache Tomcat Security Team by An Trinh of
+ Viettel Cyber Security on 10 October 2019. The issue was made public on 18
+ December 2019.</p>
+
+
+<p>Affects: 9.0.0.M1 to 9.0.28</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_9.0.20">
<span class="pull-right">13 May 2019</span> Fixed in Apache Tomcat 9.0.20</h3>
<div class="text">
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1871756&r1=1871755&r2=1871756&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Wed Dec 18 15:35:48 2019
@@ -50,6 +50,58 @@
</section>
+ <section name="Fixed in Apache Tomcat 7.0.99" rtext="17 December 2019">
+
+ <p><strong>Low: Session fixation</strong>
+ <cve>CVE-2019-17563</cve></p>
+
+ <p>When using FORM authentication there was a narrow window where an
+ attacker could perform a session fixation attack. The window was
+ considered too narrow for an exploit to be practical but, erring on the
+ side of caution, this issue has been treated as a security
+ vulnerability.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="ab72a10">ab72a10</hashlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by William
+ Marlow (IBM) on 19 November 2019. The issue was made public on 18
+ December 2019.</p>
+
+ <p>Affects: 7.0.0 to 7.0.98</p>
+
+ <p><i>Note: The issue below was fixed in Apache Tomcat 7.0.98 but the
+ release vote for the 7.0.98 release candidate did not pass. Therefore,
+ although users must download 7.0.99 to obtain a version that includes
+ the fix for this issue, version78.0.98 is not included in the list of
+ affected versions.</i></p>
+
+ <p><strong>Moderate: Local Privilege Escalation</strong>
+ <cve>CVE-2019-12418</cve></p>
+
+ <p>When Tomcat is configured with the JMX Remote Lifecycle Listener, a local
+ attacker without access to the Tomcat process or configuration files is
+ able to manipulate the RMI registry to perform a man-in-the-middle attack
+ to capture user names and passwords used to access the JMX interface. The
+ attacker can then use these credentials to access the JMX interface and
+ gain complete control over the Tomcat instance.</p>
+ <p>The JMX Remote Lifecycle Listener will be deprecated in future Tomcat
+ releases, will be removed for Tomcat 10 and may be removed from all
+ Tomcat releases some time after 31 December 2020.</p>
+ <p>Users should also be aware of <cve>CVE-2019-2684</cve>, a JRE
+ vulnerability that enables this issue to be exploited remotely.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="bef3f40">bef3f40</hashlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by An Trinh of
+ Viettel Cyber Security on 10 October 2019. The issue was made public on 18
+ December 2019.</p>
+
+ <p>Affects: 7.0.0 to 7.0.97</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 7.0.94" rtext="12 April 2019">
<p><strong>Important: Remote Code Execution on Windows</strong>
Modified: tomcat/site/trunk/xdocs/security-8.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1871756&r1=1871755&r2=1871756&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Wed Dec 18 15:35:48 2019
@@ -50,6 +50,62 @@
</section>
+ <section name="Fixed in Apache Tomcat 8.5.50" rtext="12 December 2019">
+
+ <p><strong>Low: Session fixation</strong>
+ <cve>CVE-2019-17563</cve></p>
+
+ <p>When using FORM authentication there was a narrow window where an
+ attacker could perform a session fixation attack. The window was
+ considered too narrow for an exploit to be practical but, erring on the
+ side of caution, this issue has been treated as a security
+ vulnerability.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="e19a202">e19a202</hashlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by William
+ Marlow (IBM) on 19 November 2019. The issue was made public on 18
+ December 2019.</p>
+
+ <p>Affects: 8.5.0 to 8.5.49</p>
+
+ </section>
+
+ <section name="Fixed in Apache Tomcat 8.5.49" rtext="21 November 2019">
+
+ <p><i>Note: The issue below was fixed in Apache Tomcat 8.0.48 but the
+ release vote for the 8.0.48 release candidate did not pass. Therefore,
+ although users must download 8.0.49 to obtain a version that includes
+ the fix for this issue, version 8.0.48 is not included in the list of
+ affected versions.</i></p>
+
+ <p><strong>Moderate: Local Privilege Escalation</strong>
+ <cve>CVE-2019-12418</cve></p>
+
+ <p>When Tomcat is configured with the JMX Remote Lifecycle Listener, a local
+ attacker without access to the Tomcat process or configuration files is
+ able to manipulate the RMI registry to perform a man-in-the-middle attack
+ to capture user names and passwords used to access the JMX interface. The
+ attacker can then use these credentials to access the JMX interface and
+ gain complete control over the Tomcat instance.</p>
+ <p>The JMX Remote Lifecycle Listener will be deprecated in future Tomcat
+ releases, will be removed for Tomcat 10 and may be removed from all
+ Tomcat releases some time after 31 December 2020.</p>
+ <p>Users should also be aware of <cve>CVE-2019-2684</cve>, a JRE
+ vulnerability that enables this issue to be exploited remotely.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="a91d7db">a91d7db</hashlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by An Trinh of
+ Viettel Cyber Security on 10 October 2019. The issue was made public on 18
+ December 2019.</p>
+
+ <p>Affects: 8.5.0 to 8.5.47</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 8.5.41" rtext="13 May 2019">
<p><strong>Important: Denial of Service</strong>
Modified: tomcat/site/trunk/xdocs/security-9.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1871756&r1=1871755&r2=1871756&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-9.xml (original)
+++ tomcat/site/trunk/xdocs/security-9.xml Wed Dec 18 15:35:48 2019
@@ -50,6 +50,56 @@
</section>
+ <section name="Fixed in Apache Tomcat 9.0.30" rtext="12 December 2019">
+
+ <p><strong>Low: Session fixation</strong>
+ <cve>CVE-2019-17563</cve></p>
+
+ <p>When using FORM authentication there was a narrow window where an
+ attacker could perform a session fixation attack. The window was
+ considered too narrow for an exploit to be practical but, erring on the
+ side of caution, this issue has been treated as a security
+ vulnerability.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="1ecba14">1ecba14</hashlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by William
+ Marlow (IBM) on 19 November 2019. The issue was made public on 18
+ December 2019.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.29</p>
+
+ </section>
+
+ <section name="Fixed in Apache Tomcat 9.0.29" rtext="21 November 2019">
+
+ <p><strong>Moderate: Local Privilege Escalation</strong>
+ <cve>CVE-2019-12418</cve></p>
+
+ <p>When Tomcat is configured with the JMX Remote Lifecycle Listener, a local
+ attacker without access to the Tomcat process or configuration files is
+ able to manipulate the RMI registry to perform a man-in-the-middle attack
+ to capture user names and passwords used to access the JMX interface. The
+ attacker can then use these credentials to access the JMX interface and
+ gain complete control over the Tomcat instance.</p>
+ <p>The JMX Remote Lifecycle Listener will be deprecated in future Tomcat
+ releases, will be removed for Tomcat 10 and may be removed from all
+ Tomcat releases some time after 31 December 2020.</p>
+ <p>Users should also be aware of <cve>CVE-2019-2684</cve>, a JRE
+ vulnerability that enables this issue to be exploited remotely.</p>
+
+ <p>This was fixed with commit
+ <hashlink hash="1fc9f58">1fc9f58</hashlink>.</p>
+
+ <p>This issue was reported to the Apache Tomcat Security Team by An Trinh of
+ Viettel Cyber Security on 10 October 2019. The issue was made public on 18
+ December 2019.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.28</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 9.0.20" rtext="13 May 2019">
<p><strong>Important: Denial of Service</strong>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org