Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.0284 tomcat7 security update 28 January 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: tomcat7 Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Access Confidential Data -- Existing Account Unauthorised Access -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-17563 CVE-2019-12418 Reference: ESB-2020.0063 ESB-2020.0014 ESB-2019.4714 Original Bulletin: https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : tomcat7 Version : 7.0.56-3+really7.0.99-1 CVE ID : CVE-2019-12418 CVE-2019-17563 Two security vulnerabilities have been fixed in the Tomcat servlet and JSP engine. CVE-2019-12418 When Apache Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. CVE-2019-17563 When using FORM authentication with Apache Tomcat there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. For Debian 8 "Jessie", these problems have been fixed in version 7.0.56-3+really7.0.99-1. We recommend that you upgrade your tomcat7 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl4vbpVfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTbxBAAzc62ArkCBu+gjsj+x8NPsIoLu5CM1g66VkDQdBt1EFPmnjR8AbmqnHkJ vxzBlnFkBzmO8TaM5rG/JmZpfC/aTJWlwdFk9pQAfYmpFE38PUbhw+7IBEaDqBQT iaZpKAWRNOsLX1OEd+AGJu4FdE7anqv2xul3sxXFMV1zYjTssPAgWMAyyZKno+b5 wYHGmCdjgmWujHwHqgTcAz4xqVrqs2R7Yum2rBuoeYbWBcu4N1OAXEVYBlM+MppM NQG2A1pnV1Z+7yTh9aD2ZPHG5csy19000WfNsVXtFoTIexsgKVfnRJy7wQz6lZbc P9eOU4gCU31D5f3ls8marxxohrrzAtOfgRWeaxWxARs+l+YoUuvx0ttCRI3lWPRj KTZYEbm+oyhynC5pXZnp9D+RXKtSKgWb7lkVkC/jnO+zot3BtMjZbpP+uXiCNfqb zNIB5rbm4Qb4P9WYh+uFi8xJTg2KYHYGCIaOAg4uxH4X4eBQZ0i31sDyFv2sXpHt WQaxPHTrOmN1p+gaxGSTA8ac67v8nerByx/IdWVYqTQlSsxWiVneTUyMvguLSsrD QS3WAO6YANgmUhHsXhRD/kJfX6HPQwq1t59HjxRu7KuPkWPPzwDaWWUB8X9nymSb 6n4Y9i9uVuzQlSp+ygVtxfoOtgk51t38nznnkwpglTBSO+dyWoc= =7LK2 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXi+7F2aOgq3Tt24GAQhK0hAAtwsfGhutefy/5tQVsGzvccokbxnRj3ps I+GUPfp2qNHzumG3NYZtZfFE760W+hHBwBYbrOSD4H+i1D3d1YYqLLblt/2BYLDw qDl9OM3YNR3h7joaMGExVlBbTPJs+i8zvgIMjmjocn7LmGbgttfjhOTre+2+R/LW aEQhjsl/CGOH13UGjInUf4zd0vG/KK6xNzE+C4mMyc9BqoRc/B+NgyOpeeb6aqH6 qJlU3/niupJNIth02QyNe0L1IMjouco3FxonEviwvU1OxbG3q7t+PQiSCHdL1JV4 TnOApdDqkfsfbRf1WhBIfS7pXC8zj07XB2DYbYn6/8ER6Jzo7B4o5HyW42QO+XTP mFXEnJlWUwA1ybiml9GEl59yQU1nAj/5f+eBsNa2J4lpqF6qBhLz5dbFOoMEKcgh CYOlXy/HzSa4B1SGsvi8aX+VN1ULDU3fKDbJZ4KXF3EU/YFyVZPiKgkwmDZ3wH8L WnJDq6ruVSmvAzYc9cEvRT5uLzRMfh8Y7l9J7uwLyLg3vuG78/zoV3z8CVS9r82S PvYQzl2qXmPjxUX0TQVV74KF+JjTAthIdN6qQozy9k5/kDtWig0ULm56t9ZV+8m+ CAoffZNsjX74Snd0ja9g/QbuoR7QrMe5P5XNNuOdr6zqGhjEf7msY7IdQxkEaCwj FN4dpsoipuQ= =HHWl -----END PGP SIGNATURE-----