{ "threat_severity" : "Moderate", "public_date" : "2019-11-21T00:00:00Z", "bugzilla" : { "description" : "tomcat: local privilege escalation", "id" : "1785699", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1785699" }, "cvss3" : { "cvss3_base_score" : "7.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-284", "details" : [ "When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.", "A privilege escalation flaw was found in Tomcat when the JMX Remote Lifecycle Listener was enabled. A local attacker without access to the Tomcat process or configuration files could be able to manipulate the RMI registry to perform a man-in-the-middle attack. The attacker could then capture user names and passwords used to access the JMX interface and gain complete control over the Tomcat instance." ], "statement" : "This flaw did not affect the versions of tomcat as shipped with Red Hat Enterprise Linux 5, as they did not include JMX Remote Lifecycle Listener, which was introduced in a later version of the package.\npki-servlet-engine has been obsoleted by Tomcat in Red Hat Enterprise Linux 8.9 and later. Therefore no additional fixes would be made available for the servlet engine.", "affected_release" : [ { "product_name" : "Red Hat JBoss Web Server 3.1", "release_date" : "2020-03-17T00:00:00Z", "advisory" : "RHSA-2020:0860", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1", "package" : "tomcat" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2020-03-17T00:00:00Z", "advisory" : "RHSA-2020:0861", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "tomcat7-0:7.0.70-38.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2020-03-17T00:00:00Z", "advisory" : "RHSA-2020:0861", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "tomcat8-0:8.0.36-42.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2020-03-17T00:00:00Z", "advisory" : "RHSA-2020:0861", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "tomcat-native-0:1.2.23-21.redhat_21.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2020-03-17T00:00:00Z", "advisory" : "RHSA-2020:0861", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "tomcat7-0:7.0.70-38.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2020-03-17T00:00:00Z", "advisory" : "RHSA-2020:0861", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "tomcat8-0:8.0.36-42.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2020-03-17T00:00:00Z", "advisory" : "RHSA-2020:0861", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "tomcat-native-0:1.2.23-21.redhat_21.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 5.3 on RHEL 6", "release_date" : "2020-04-21T00:00:00Z", "advisory" : "RHSA-2020:1520", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.3::el6", "package" : "jws5-tomcat-0:9.0.30-3.redhat_4.1.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.3 on RHEL 6", "release_date" : "2020-04-21T00:00:00Z", "advisory" : "RHSA-2020:1520", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.3::el6", "package" : "jws5-tomcat-native-0:1.2.23-4.redhat_4.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.3 on RHEL 7", "release_date" : "2020-04-21T00:00:00Z", "advisory" : "RHSA-2020:1520", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.3::el7", "package" : "jws5-tomcat-0:9.0.30-3.redhat_4.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.3 on RHEL 7", "release_date" : "2020-04-21T00:00:00Z", "advisory" : "RHSA-2020:1520", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.3::el7", "package" : "jws5-tomcat-native-0:1.2.23-4.redhat_4.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.3 on RHEL 8", "release_date" : "2020-04-21T00:00:00Z", "advisory" : "RHSA-2020:1520", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.3::el8", "package" : "jws5-tomcat-0:9.0.30-3.redhat_4.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.3 on RHEL 8", "release_date" : "2020-04-21T00:00:00Z", "advisory" : "RHSA-2020:1520", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.3::el8", "package" : "jws5-tomcat-native-0:1.2.23-4.redhat_4.el8jws" }, { "product_name" : "Red Hat JBoss Web Server (JWS) 5.3", "release_date" : "2020-04-21T00:00:00Z", "advisory" : "RHSA-2020:1521", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.3", "package" : "tomcat" } ], "package_state" : [ { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Out of support scope", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Not affected", "package_name" : "tomcat5", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "tomcat6", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "pki-deps:10.6/pki-servlet-engine", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss BRMS 6", "fix_state" : "Out of support scope", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-java-common-tomcat", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-12418\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-12418\nhttp://mail-archives.apache.org/mod_mbox/tomcat-users/201912.mbox/%3C3f42d82c-d9e9-8893-9820-df4e420e5c4e@apache.org%3E\nhttp://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.49\nhttp://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.29\nhttps://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.99" ], "name" : "CVE-2019-12418", "mitigation" : { "value" : "Disable JMX Remote if monitoring is only needed locally and there is no need to monitor Tomcat remotely. If JMX Remote is required and cannot be disabled, then use the built-in remote JMX facilities provided by the JVM.\nPlease note that JMX Remote Lifecycle Listener is now deprecated and may be removed from both Tomcat 7 [1] and Tomcat 9 [2] after 2020-12-31.\n[1] https://tomcat.apache.org/tomcat-7.0-doc/config/listeners.html#Deprecated_Implementations\n[2] https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html#Deprecated_Implementations", "lang" : "en:us" }, "csaw" : false }