{ "threat_severity" : "Low", "public_date" : "2019-12-18T00:00:00Z", "bugzilla" : { "description" : "tomcat: Session fixation when using FORM authentication", "id" : "1785711", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1785711" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-384", "details" : [ "When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.", "It was found that tomcat's FORM authentication allowed a very small period in which an attacker could possibly force a victim to use a valid user session, or Session Fixation. While practical exploit of this issue is deemed highly improbable, an abundance of caution merits it be considered a flaw. The highest threat from this vulnerability is to system availability, but also threatens data confidentiality and integrity." ], "statement" : "All affected Red Hat products providing the affected component code should update their setups per the product fixes given.\nThe following Red Hat products are out of support scope for Low Impact flaws, and as such will not issue security fixes:\nRed Hat Enterprise Linux 5\nRed Hat Enterprise Linux 6\nRed Hat JBoss BPM Suite 6\nRed Hat JBoss BRMS 6", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2020-09-29T00:00:00Z", "advisory" : "RHSA-2020:4004", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "tomcat-0:7.0.76-15.el7" }, { "product_name" : "Red Hat Enterprise Linux 7.6 Extended Update Support", "release_date" : "2021-03-16T00:00:00Z", "advisory" : "RHSA-2021:0882", "cpe" : "cpe:/o:redhat:rhel_eus:7.6", "package" : "tomcat-0:7.0.76-11.el7_6" }, { "product_name" : "Red Hat Enterprise Linux 7.7 Extended Update Support", "release_date" : "2021-03-30T00:00:00Z", "advisory" : "RHSA-2021:1030", "cpe" : "cpe:/o:redhat:rhel_eus:7.7", "package" : "tomcat-0:7.0.76-12.el7_7" }, { "product_name" : "Red Hat JBoss Web Server 3.1", "release_date" : "2020-03-17T00:00:00Z", "advisory" : "RHSA-2020:0860", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1", "package" : "tomcat" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2020-03-17T00:00:00Z", "advisory" : "RHSA-2020:0861", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "tomcat7-0:7.0.70-38.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2020-03-17T00:00:00Z", "advisory" : "RHSA-2020:0861", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "tomcat8-0:8.0.36-42.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2020-03-17T00:00:00Z", "advisory" : "RHSA-2020:0861", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "tomcat-native-0:1.2.23-21.redhat_21.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2020-03-17T00:00:00Z", "advisory" : "RHSA-2020:0861", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "tomcat7-0:7.0.70-38.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2020-03-17T00:00:00Z", "advisory" : "RHSA-2020:0861", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "tomcat8-0:8.0.36-42.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2020-03-17T00:00:00Z", "advisory" : "RHSA-2020:0861", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "tomcat-native-0:1.2.23-21.redhat_21.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 5.3 on RHEL 6", "release_date" : "2020-04-21T00:00:00Z", "advisory" : "RHSA-2020:1520", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.3::el6", "package" : "jws5-tomcat-0:9.0.30-3.redhat_4.1.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.3 on RHEL 6", "release_date" : "2020-04-21T00:00:00Z", "advisory" : "RHSA-2020:1520", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.3::el6", "package" : "jws5-tomcat-native-0:1.2.23-4.redhat_4.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.3 on RHEL 7", "release_date" : "2020-04-21T00:00:00Z", "advisory" : "RHSA-2020:1520", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.3::el7", "package" : "jws5-tomcat-0:9.0.30-3.redhat_4.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.3 on RHEL 7", "release_date" : "2020-04-21T00:00:00Z", "advisory" : "RHSA-2020:1520", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.3::el7", "package" : "jws5-tomcat-native-0:1.2.23-4.redhat_4.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.3 on RHEL 8", "release_date" : "2020-04-21T00:00:00Z", "advisory" : "RHSA-2020:1520", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.3::el8", "package" : "jws5-tomcat-0:9.0.30-3.redhat_4.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.3 on RHEL 8", "release_date" : "2020-04-21T00:00:00Z", "advisory" : "RHSA-2020:1520", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.3::el8", "package" : "jws5-tomcat-native-0:1.2.23-4.redhat_4.el8jws" }, { "product_name" : "Red Hat JBoss Web Server (JWS) 5.3", "release_date" : "2020-04-21T00:00:00Z", "advisory" : "RHSA-2020:1521", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.3", "package" : "tomcat" } ], "package_state" : [ { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Out of support scope", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Out of support scope", "package_name" : "tomcat5", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "tomcat6", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Fix deferred", "package_name" : "pki-deps:10.6/pki-servlet-engine", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss BRMS 6", "fix_state" : "Out of support scope", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-java-common-tomcat", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-17563\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-17563\nhttp://mail-archives.apache.org/mod_mbox/www-announce/201912.mbox/%3C21b7a375-7297-581b-1f8e-06622d36775b@apache.org%3E\nhttp://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.30\nhttps://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.99\nhttps://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.50" ], "name" : "CVE-2019-17563", "csaw" : false }