CVE-2019-12418 Local Privilege Escalation
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.28
Apache Tomcat 8.5.0 to 8.5.47
Apache Tomcat 7.0.0 to 7.0.97
Description:
When Tomcat is configured with the JMX Remote Lifecycle Listener, a
local attacker without access to the Tomcat process or configuration
files is able to manipulate the RMI registry to perform a
man-in-the-middle attack to capture user names and passwords used to
access the JMX interface. The attacker can then use these credentials to
access the JMX interface and gain complete control over the Tomcat instance.
The JMX Remote Lifecycle Listener will be deprecated in future Tomcat
releases, will be removed for Tomcat 10 and may be removed from all
Tomcat releases some time after 2020-12-31.
Users should also be aware of CVE-2019-2684, a JRE vulnerability that
enables this issue to be exploited remotely.
Mitigation:
Users of affected versions should apply one of the following mitigations:
- Disable Tomcat's JmxRemoteLifecycleListener and use the built-in
remote JMX facilities provided by the JVM
- Upgrade to Apache Tomcat 9.0.29 or later
- Upgrade to Apache Tomcat 8.5.49 or later
- Upgrade to Apache Tomcat 7.0.99 or later
Note: The fix was included in versions 7.0.98 and 8.5.48 but those
versions were not released.
Credit:
An Trinh of Viettel Cyber Security
References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4]
https://i.blackhat.com/eu-19/Wednesday/eu-19-An-Far-Sides-Of-Java-Remote-Protocols.pdf
[5] https://nvd.nist.gov/vuln/detail/CVE-2019-2684
