Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 706208 (CVE-2019-12418, CVE-2019-17563) - <www-servers/tomcat-{7.0.99,8.5.51}: multiple vulnerabilities (CVE-2019-{12418,17563})
Summary: <www-servers/tomcat-{7.0.99,8.5.51}: multiple vulnerabilities (CVE-2019-{1241...
Status: RESOLVED FIXED
Alias: CVE-2019-12418, CVE-2019-17563
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-23 22:01 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-19 17:18 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2020-01-23 22:01:47 UTC
CVE-2019-17563 (https://nvd.nist.gov/vuln/detail/CVE-2019-17563):
  When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0
  to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker
  could perform a session fixation attack. The window was considered too
  narrow for an exploit to be practical but, erring on the side of caution,
  this issue has been treated as a security vulnerability.

CVE-2019-12418 (https://nvd.nist.gov/vuln/detail/CVE-2019-12418):
  When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is
  configured with the JMX Remote Lifecycle Listener, a local attacker without
  access to the Tomcat process or configuration files is able to manipulate
  the RMI registry to perform a man-in-the-middle attack to capture user names
  and passwords used to access the JMX interface. The attacker can then use
  these credentials to access the JMX interface and gain complete control over
  the Tomcat instance.
Comment 1 Sam James (sec padawan) 2020-03-19 05:19:20 UTC
@maintainer(s), ok to cleanup?
Comment 2 Miroslav Šulc gentoo-dev 2020-03-19 06:09:17 UTC
$ equery meta tomcat
 * www-servers/tomcat [gentoo]
Maintainer:  java@gentoo.org (Java)
Upstream:    None specified
Homepage:    https://tomcat.apache.org/
Location:    /usr/src/gentoo.git/www-servers/tomcat
Keywords:    7.0.100:7: amd64 ~amd64-linux ~ppc64 ~x86 ~x86-linux ~x86-solaris
Keywords:    8.5.51:8.5: amd64
Keywords:    8.5.53:8.5: ~amd64 ~amd64-linux ~x86 ~x86-linux ~x86-solaris
Keywords:    9.0.31:9: 
Keywords:    9.0.33:9: ~amd64 ~amd64-linux ~x86 ~x86-linux ~x86-solaris
License:     Apache-2.0

the tree is clean
Comment 3 Thomas Deutschmann gentoo-dev Security 2020-03-19 16:59:24 UTC
Added to an existing GLSA.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2020-03-19 17:18:14 UTC
This issue was resolved and addressed in
 GLSA 202003-43 at https://security.gentoo.org/glsa/202003-43
by GLSA coordinator Thomas Deutschmann (whissi).