Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.0284
tomcat7 security update
28 January 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: tomcat7
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Access Confidential Data -- Existing Account
Unauthorised Access -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2019-17563 CVE-2019-12418
Reference: ESB-2020.0063
ESB-2020.0014
ESB-2019.4714
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : tomcat7
Version : 7.0.56-3+really7.0.99-1
CVE ID : CVE-2019-12418 CVE-2019-17563
Two security vulnerabilities have been fixed in the Tomcat
servlet and JSP engine.
CVE-2019-12418
When Apache Tomcat is configured with the JMX Remote Lifecycle
Listener, a local attacker without access to the Tomcat process
or configuration files is able to manipulate the RMI registry to
perform a man-in-the-middle attack to capture user names and
passwords used to access the JMX interface. The attacker can
then use these credentials to access the JMX interface and gain
complete control over the Tomcat instance.
CVE-2019-17563
When using FORM authentication with Apache Tomcat there was a
narrow window where an attacker could perform a session fixation
attack. The window was considered too narrow for an exploit to
be practical but, erring on the side of caution, this issue has
been treated as a security vulnerability.
For Debian 8 "Jessie", these problems have been fixed in version
7.0.56-3+really7.0.99-1.
We recommend that you upgrade your tomcat7 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl4vbpVfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTbxBAAzc62ArkCBu+gjsj+x8NPsIoLu5CM1g66VkDQdBt1EFPmnjR8AbmqnHkJ
vxzBlnFkBzmO8TaM5rG/JmZpfC/aTJWlwdFk9pQAfYmpFE38PUbhw+7IBEaDqBQT
iaZpKAWRNOsLX1OEd+AGJu4FdE7anqv2xul3sxXFMV1zYjTssPAgWMAyyZKno+b5
wYHGmCdjgmWujHwHqgTcAz4xqVrqs2R7Yum2rBuoeYbWBcu4N1OAXEVYBlM+MppM
NQG2A1pnV1Z+7yTh9aD2ZPHG5csy19000WfNsVXtFoTIexsgKVfnRJy7wQz6lZbc
P9eOU4gCU31D5f3ls8marxxohrrzAtOfgRWeaxWxARs+l+YoUuvx0ttCRI3lWPRj
KTZYEbm+oyhynC5pXZnp9D+RXKtSKgWb7lkVkC/jnO+zot3BtMjZbpP+uXiCNfqb
zNIB5rbm4Qb4P9WYh+uFi8xJTg2KYHYGCIaOAg4uxH4X4eBQZ0i31sDyFv2sXpHt
WQaxPHTrOmN1p+gaxGSTA8ac67v8nerByx/IdWVYqTQlSsxWiVneTUyMvguLSsrD
QS3WAO6YANgmUhHsXhRD/kJfX6HPQwq1t59HjxRu7KuPkWPPzwDaWWUB8X9nymSb
6n4Y9i9uVuzQlSp+ygVtxfoOtgk51t38nznnkwpglTBSO+dyWoc=
=7LK2
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXi+7F2aOgq3Tt24GAQhK0hAAtwsfGhutefy/5tQVsGzvccokbxnRj3ps
I+GUPfp2qNHzumG3NYZtZfFE760W+hHBwBYbrOSD4H+i1D3d1YYqLLblt/2BYLDw
qDl9OM3YNR3h7joaMGExVlBbTPJs+i8zvgIMjmjocn7LmGbgttfjhOTre+2+R/LW
aEQhjsl/CGOH13UGjInUf4zd0vG/KK6xNzE+C4mMyc9BqoRc/B+NgyOpeeb6aqH6
qJlU3/niupJNIth02QyNe0L1IMjouco3FxonEviwvU1OxbG3q7t+PQiSCHdL1JV4
TnOApdDqkfsfbRf1WhBIfS7pXC8zj07XB2DYbYn6/8ER6Jzo7B4o5HyW42QO+XTP
mFXEnJlWUwA1ybiml9GEl59yQU1nAj/5f+eBsNa2J4lpqF6qBhLz5dbFOoMEKcgh
CYOlXy/HzSa4B1SGsvi8aX+VN1ULDU3fKDbJZ4KXF3EU/YFyVZPiKgkwmDZ3wH8L
WnJDq6ruVSmvAzYc9cEvRT5uLzRMfh8Y7l9J7uwLyLg3vuG78/zoV3z8CVS9r82S
PvYQzl2qXmPjxUX0TQVV74KF+JjTAthIdN6qQozy9k5/kDtWig0ULm56t9ZV+8m+
CAoffZNsjX74Snd0ja9g/QbuoR7QrMe5P5XNNuOdr6zqGhjEf7msY7IdQxkEaCwj
FN4dpsoipuQ=
=HHWl
-----END PGP SIGNATURE-----