CVE-2019-12418 Local Privilege Escalation Severity: Moderate
Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.28 Apache Tomcat 8.5.0 to 8.5.47 Apache Tomcat 7.0.0 to 7.0.97 Description: When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. The JMX Remote Lifecycle Listener will be deprecated in future Tomcat releases, will be removed for Tomcat 10 and may be removed from all Tomcat releases some time after 2020-12-31. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely. Mitigation: Users of affected versions should apply one of the following mitigations: - Disable Tomcat's JmxRemoteLifecycleListener and use the built-in remote JMX facilities provided by the JVM - Upgrade to Apache Tomcat 9.0.29 or later - Upgrade to Apache Tomcat 8.5.49 or later - Upgrade to Apache Tomcat 7.0.99 or later Note: The fix was included in versions 7.0.98 and 8.5.48 but those versions were not released. Credit: An Trinh of Viettel Cyber Security References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] https://i.blackhat.com/eu-19/Wednesday/eu-19-An-Far-Sides-Of-Java-Remote-Protocols.pdf [5] https://nvd.nist.gov/vuln/detail/CVE-2019-2684 --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org