Vulnerability CVE-2019-2684: Information

Description

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

Severity: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-2684

Published: April 23, 2019

Modified: Nov. 7, 2023

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
tomcat	sisyphus	9.0.37-alt1	9.0.83-alt1_1jpp11	ALT-PU-2020-2892-1	255548	Fixed
tomcat	p10	9.0.37-alt1	9.0.59-alt1_3jpp11	ALT-PU-2020-2892-1	255548	Fixed
tomcat	p9	9.0.37-alt1	9.0.37-alt1	ALT-PU-2020-3213-2	258915	Fixed
tomcat	c10f1	9.0.37-alt1	9.0.59-alt1_3jpp11	ALT-PU-2020-2892-1	255548	Fixed
tomcat	c9f2	9.0.37-alt0.c9.1	9.0.37-alt0.c9.1	ALT-PU-2021-2858-2	282600	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
http://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	Patch Vendor Advisory
openSUSE-SU-2019:1327	Third Party Advisory
RHBA-2019:0959	Mailing List Third Party Advisory
[debian-lts-announce] 20190510 [SECURITY] [DLA 1782-1] openjdk-7 security update	Third Party Advisory
RHSA-2019:1146	Third Party Advisory
USN-3975-1	Third Party Advisory
RHSA-2019:1166	Third Party Advisory
RHSA-2019:1165	Third Party Advisory
RHSA-2019:1164	Third Party Advisory
RHSA-2019:1163	Third Party Advisory
RHSA-2019:1238	Third Party Advisory
openSUSE-SU-2019:1439	Mailing List Third Party Advisory
openSUSE-SU-2019:1438	Mailing List Third Party Advisory
DSA-4453	Third Party Advisory
20190530 [SECURITY] [DSA 4453-1] openjdk-8 security update	Mailing List Third Party Advisory
openSUSE-SU-2019:1500	Mailing List Third Party Advisory
RHSA-2019:1325	Third Party Advisory
RHSA-2019:1518	Third Party Advisory
GLSA-201908-10	Third Party Advisory
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03959en_us	Third Party Advisory
[oss-security] 20200901 CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability	Mailing List Third Party Advisory
[tomcat-dev] 20191218 [SECURITY] CVE-2019-12418 Local Privilege Escalation
[announce] 20191218 [SECURITY] CVE-2019-12418 Local Privilege Escalation
[tomcat-announce] 20191218 [SECURITY] CVE-2019-12418 Local Privilege Escalation
[tomcat-dev] 20191218 svn commit: r1871756 - in /tomcat/site/trunk: docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml
[tomcat-users] 20191218 [SECURITY] CVE-2019-12418 Local Privilege Escalation
https://support.f5.com/csp/article/K11175903?utm_source=f5support&amp%3Butm_medium=RSS
[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/
[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/
[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/
[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/
[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/
[cassandra-dev] 20200901 CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability
[cassandra-user] 20200901 CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability
[cassandra-user] 20200901 Re: CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability
[cassandra-user] 20200902 Re: CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability
[cassandra-user] 20200911 Re: CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability

Affected configurations:
1. Configuration 1
  cpe:2.3:a:oracle:jdk:11.0.2:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jdk:12:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jre:11.0.2:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jre:12:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jdk:1.8.0:update201:*:*:*:*:*:*
  cpe:2.3:a:oracle:jdk:1.8.0:update202:*:*:*:*:*:*
  cpe:2.3:a:oracle:jdk:1.7.0:update211:*:*:*:*:*:*
  cpe:2.3:a:oracle:jre:1.8.0:update201:*:*:*:*:*:*
  cpe:2.3:a:oracle:jre:1.7.0:update211:*:*:*:*:*:*
  cpe:2.3:a:oracle:jre:1.8.0:update202:*:*:*:*:*:*
  
  Configuration 2
  cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
  cpe:2.3:a:redhat:satellite:5.8:*:*:*:*:*:*:*
  cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:8.1:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
  
  Configuration 3
  cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
  cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
  
  Configuration 4
  cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  
  Configuration 5
  cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
  Start including
  7.0.0
  End including
  7.0.97
  cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
  Start including
  8.5.0
  End including
  8.5.47
  cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
  cpe:2.3:a:apache:cassandra:4.0.0:beta1:*:*:*:*:*:*
  cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
  Start including
  3.11.0
  End excliding
  3.11.8
  cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
  Start including
  3.0.0
  End excliding
  3.0.22
  cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
  Start including
  2.2.0
  End excliding
  2.2.18
  cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
  Start including
  2.1.0
  End excliding
  2.1.22
  cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
  Start including
  9.0.1
  End including
  9.0.28
  
  Configuration 6
  cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
  cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
  
  Configuration 7
  cpe:2.3:a:hp:xp7_command_view:*:*:*:*:advanced:*:*:*
  End excliding
  8.6.5-00

Version: v24.4.2

Vulnerability CVE-2019-2684: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Configuration 5

Configuration 6

Configuration 7