Уязвимость CVE-2019-12418: Информация

Описание

When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.

Важность: HIGH (7,0) Вектор: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-12418

Опубликовано: 23 декабря 2019 г.

Изменено: 7 ноября 2023 г.

Исправленные пакеты

Имя пакета	Ветка	Исправлено в версии	Версия в репозитории	Errata ID	№ Задания	Состояние
tomcat	sisyphus	9.0.37-alt1	9.0.83-alt1_1jpp11	ALT-PU-2020-2892-1	255548	Исправлено
tomcat	p10	9.0.37-alt1	9.0.59-alt1_3jpp11	ALT-PU-2020-2892-1	255548	Исправлено
tomcat	p9	9.0.37-alt1	9.0.37-alt1	ALT-PU-2020-3213-2	258915	Исправлено
tomcat	c10f1	9.0.37-alt1	9.0.59-alt1_3jpp11	ALT-PU-2020-2892-1	255548	Исправлено
tomcat	c9f2	9.0.37-alt0.c9.1	9.0.37-alt0.c9.1	ALT-PU-2021-2858-2	282600	Исправлено
tomcat	p11	9.0.37-alt1	9.0.83-alt1_1jpp11	ALT-PU-2020-2892-1	255548	Исправлено

Ссылки на рекомендации, решения и инструменты

Ссылка	Ресурс
https://lists.apache.org/thread.html/43530b91506e2e0c11cfbe691173f5df8c48f51b98262426d7493b67%40%3Cannounce.tomcat.apache.org%3E	Mailing List Vendor Advisory
DSA-4596	Third Party Advisory
20191229 [SECURITY] [DSA 4596-1] tomcat8 security update	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20200107-0001/	Third Party Advisory
openSUSE-SU-2020:0038	Mailing List Third Party Advisory
[debian-lts-announce] 20200127 [SECURITY] [DLA 2077-1] tomcat7 security update	Mailing List Third Party Advisory
USN-4251-1	Third Party Advisory
GLSA-202003-43	Third Party Advisory
[debian-lts-announce] 20200324 [SECURITY] [DLA 2155-1] tomcat8 security update	Mailing List Third Party Advisory
N/A	Patch Third Party Advisory
DSA-4680	Third Party Advisory
https://support.f5.com/csp/article/K10107360?utm_source=f5support&amp%3Butm_medium=RSS
[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/
[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/
[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/
[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/
[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/

Подверженные конфигурации:
1. Конфигурация 1
  cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
  Start including
  7.0.0
  End including
  7.0.97
  cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
  Start including
  8.5.0
  End including
  8.5.47
  cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
  Start including
  9.0.0
  End including
  9.0.28
  
  Конфигурация 2
  cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
  cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  
  Конфигурация 3
  cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:*
  
  Конфигурация 4
  cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*
  
  Конфигурация 5
  cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
  
  Конфигурация 6
  cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*
  Start including
  3.0.0
  End including
  3.1.3

Версия: v24.5.3

Наверх

Уязвимость CVE-2019-12418: Информация

Описание

Исправленные пакеты

Ссылки на рекомендации, решения и инструменты

Конфигурация 1

Конфигурация 2

Конфигурация 3

Конфигурация 4

Конфигурация 5

Конфигурация 6