5.1
CVSSv2

CVE-2019-17563

Published: 23/12/2019 Updated: 18/06/2020
CVSS v2 Base Score: 5.1 | Impact Score: 6.4 | Exploitability Score: 4.9
Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P

Vulnerability Summary

It exists that Tomcat incorrectly handled the RMI registry when configured with the JMX Remote Lifecycle Listener. A local attacker could possibly use this issue to obtain credentials and gain complete control over the Tomcat instance. (CVE-2019-12418)

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheTomcat7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 7.0.14, 7.0.15, 7.0.16, 7.0.17, 7.0.18, 7.0.19, 7.0.20, 7.0.21, 7.0.22, 7.0.23, 7.0.24, 7.0.25, 7.0.26, 7.0.27, 7.0.28, 7.0.29, 7.0.30, 7.0.31, 7.0.32, 7.0.33, 7.0.34, 7.0.35, 7.0.36, 7.0.37, 7.0.38, 7.0.39, 7.0.40, 7.0.41, 7.0.42, 7.0.43, 7.0.44, 7.0.45, 7.0.46, 7.0.47, 7.0.48, 7.0.49, 7.0.50, 7.0.51, 7.0.52, 7.0.53, 7.0.54, 7.0.55, 7.0.56, 7.0.57, 7.0.58, 7.0.59, 7.0.60, 7.0.61, 7.0.62, 7.0.63, 7.0.64, 7.0.65, 7.0.66, 7.0.67, 7.0.68, 7.0.69, 7.0.70, 7.0.71, 7.0.72, 7.0.73, 7.0.74, 7.0.75, 7.0.76, 7.0.77, 7.0.78, 7.0.79, 7.0.80, 7.0.81, 7.0.82, 7.0.83, 7.0.84, 7.0.85, 7.0.86, 7.0.87, 7.0.88, 7.0.89, 7.0.90, 7.0.91, 7.0.92, 7.0.93, 7.0.94, 7.0.95, 7.0.96, 7.0.97, 7.0.98, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 8.5.16, 8.5.17, 8.5.18, 8.5.19, 8.5.20, 8.5.21, 8.5.22, 8.5.23, 8.5.24, 8.5.25, 8.5.26, 8.5.27, 8.5.28, 8.5.29, 8.5.30, 8.5.31, 8.5.32, 8.5.33, 8.5.34, 8.5.35, 8.5.36, 8.5.37, 8.5.38, 8.5.39, 8.5.40, 8.5.41, 8.5.42, 8.5.43, 8.5.44, 8.5.45, 8.5.46, 8.5.47, 8.5.48, 8.5.49, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.0.11, 9.0.12, 9.0.13, 9.0.14, 9.0.15, 9.0.16, 9.0.17, 9.0.18, 9.0.19, 9.0.20, 9.0.21, 9.0.22, 9.0.23, 9.0.24, 9.0.25, 9.0.26, 9.0.27, 9.0.28, 9.0.29
CanonicalUbuntu Linux16.04
DebianDebian Linux8.0, 9.0
OpensuseLeap15.1

Vendor Advisories

Synopsis Important: Red Hat JBoss Web Server 31 Service Pack 8 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web Server 31Red Hat Product Security has rated this release as having a security impact of Important A Common Vulnerability Scorin ...
Several security issues were fixed in Tomcat ...
Synopsis Important: Red Hat JBoss Web Server 53 release Type/Severity Security Advisory: Important Topic Red Hat JBoss Web Server 530 zip release for RHEL 6, RHEL 7, RHEL 8 and Microsoft Windows is availableRed Hat Product Security has rated this release as having a security impact ofImportant A Common ...
Synopsis Important: Red Hat JBoss Web Server 31 Service Pack 8 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web Server 31 for RHEL 6 and RHEL 7Red Hat Product Security has rated this release as having a security impact of Important A Commo ...
Synopsis Important: Red Hat JBoss Web Server 53 release Type/Severity Security Advisory: Important Topic Updated Red Hat JBoss Web Server 530 packages are now available for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8Red Hat Product Security has rated this relea ...
When Apache Tomcat 900M1 to 9028, 850 to 8547, 700 and 7097 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface ...
This interim fix provides instructions on upgrading Apache Tomcat to v8550 in IBM Platform Symphony 71 Fix Pack 1 in order to address security vulnerabilities CVE-2019-12418 and CVE-2019-17563 in Apache Tomcat ...
Several issues were discovered in the Tomcat servlet and JSP engine, which could result in session fixation attacks, information disclosure, cross-site scripting, denial of service via resource exhaustion and insecure redirects For the oldstable distribution (stretch), these problems have been fixed in version 8550-0+deb9u1 This update also req ...
Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling, code execution in the AJP connector (disabled by default in Debian) or a man-in-the-middle attack against the JMX interface For the stable distribution (buster), these problems have been fixed in version 9031-1~deb10u1 The ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4596-1 security () debian org wwwdebianorg/security/ Moritz Muehlenhoff December 27, 2019 wwwdebianorg/security/faq ...