Vulnerabilities > CVE-2019-17563 - Session Fixation vulnerability in multiple products
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Session Credential Falsification through Forging An attacker creates a false but functional session credential in order to gain or usurp access to a service. Session credentials allow users to identify themselves to a service after an initial authentication without needing to resend the authentication information (usually a username and password) with every message. If an attacker is able to forge valid session credentials they may be able to bypass authentication or piggy-back off some other authenticated user's session. This attack differs from Reuse of Session IDs and Session Sidejacking attacks in that in the latter attacks an attacker uses a previous or existing credential without modification while, in a forging attack, the attacker must create their own credential, although it may be based on previously observed credentials.
- Exploitation of Session Variables, Resource IDs and other Trusted Credentials Attacks on session IDs and resource IDs take advantage of the fact that some software accepts user input without verifying its authenticity. For example, a message queuing system that allows service requesters to post messages to its queue through an open channel (such as anonymous FTP), authorization is done through checking group or role membership contained in the posted message. However, there is no proof that the message itself, the information in the message (such group or role membership), or indeed the process that wrote the message to the queue are authentic and authorized to do so. Many server side processes are vulnerable to these attacks because the server to server communications have not been analyzed from a security perspective or the processes "trust" other systems because they are behind a firewall. In a similar way servers that use easy to guess or spoofable schemes for representing digital identity can also be vulnerable. Such systems frequently use schemes without cryptography and digital signatures (or with broken cryptography). Session IDs may be guessed due to insufficient randomness, poor protection (passed in the clear), lack of integrity (unsigned), or improperly correlation with access control policy enforcement points. Exposed configuration and properties files that contain system passwords, database connection strings, and such may also give an attacker an edge to identify these identifiers. The net result is that spoofing and impersonation is possible leading to an attacker's ability to break authentication, authorization, and audit controls on the system.
- Accessing/Intercepting/Modifying HTTP Cookies This attack relies on the use of HTTP Cookies to store credentials, state information and other critical data on client systems. The first form of this attack involves accessing HTTP Cookies to mine for potentially sensitive data contained therein. The second form of this attack involves intercepting this data as it is transmitted from client to server. This intercepted information is then used by the attacker to impersonate the remote user/session. The third form is when the cookie's content is modified by the attacker before it is sent back to the server. Here the attacker seeks to convince the target server to operate on this falsified information.
- Manipulating Opaque Client-based Data Tokens In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1438.NASL description According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.(CVE-2020-1938) - When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.(CVE-2019-12418) - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.(CVE-2019-17563) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2020-04-15 plugin id 135567 published 2020-04-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135567 title EulerOS 2.0 SP3 : tomcat (EulerOS-SA-2020-1438) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(135567); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2019-12418", "CVE-2019-17563", "CVE-2020-1938" ); script_name(english:"EulerOS 2.0 SP3 : tomcat (EulerOS-SA-2020-1438)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.(CVE-2020-1938) - When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.(CVE-2019-12418) - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.(CVE-2019-17563) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1438 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?59d11dcf"); script_set_attribute(attribute:"solution", value: "Update the affected tomcat packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat-admin-webapps"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat-el-2.2-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat-jsp-2.2-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat-lib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat-servlet-3.0-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat-webapps"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(3)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP3", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["tomcat-7.0.76-8.h8", "tomcat-admin-webapps-7.0.76-8.h8", "tomcat-el-2.2-api-7.0.76-8.h8", "tomcat-jsp-2.2-api-7.0.76-8.h8", "tomcat-lib-7.0.76-8.h8", "tomcat-servlet-3.0-api-7.0.76-8.h8", "tomcat-webapps-7.0.76-8.h8"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"3", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tomcat"); }NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-1_0-0264_APACHE.NASL description An update of the apache package has been released. last seen 2020-03-17 modified 2020-01-16 plugin id 132979 published 2020-01-16 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132979 title Photon OS 1.0: Apache PHSA-2020-1.0-0264 code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2020-1.0-0264. The text # itself is copyright (C) VMware, Inc. include('compat.inc'); if (description) { script_id(132979); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/01/18"); script_cve_id("CVE-2019-12418", "CVE-2019-17563"); script_name(english:"Photon OS 1.0: Apache PHSA-2020-1.0-0264"); script_set_attribute(attribute:"synopsis", value: "The remote PhotonOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "An update of the apache package has been released."); script_set_attribute(attribute:"see_also", value:"https://github.com/vmware/photon/wiki/Security-Updates-1.0-264.md"); script_set_attribute(attribute:"solution", value: "Update the affected Linux packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-17563"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/23"); script_set_attribute(attribute:"patch_publication_date", value:"2020/01/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/01/16"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:apache"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; if (rpm_check(release:"PhotonOS-1.0", reference:"apache-tomcat-8.5.50-1.ph1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "apache"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4596.NASL description Several issues were discovered in the Tomcat servlet and JSP engine, which could result in session fixation attacks, information disclosure, cross-site scripting, denial of service via resource exhaustion and insecure redirects. last seen 2020-06-01 modified 2020-06-02 plugin id 132427 published 2019-12-30 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132427 title Debian DSA-4596-1 : tomcat8 - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4596. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(132427); script_version("1.2"); script_cvs_date("Date: 2020/01/02"); script_cve_id("CVE-2018-11784", "CVE-2018-8014", "CVE-2019-0199", "CVE-2019-0221", "CVE-2019-12418", "CVE-2019-17563"); script_xref(name:"DSA", value:"4596"); script_name(english:"Debian DSA-4596-1 : tomcat8 - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several issues were discovered in the Tomcat servlet and JSP engine, which could result in session fixation attacks, information disclosure, cross-site scripting, denial of service via resource exhaustion and insecure redirects." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/tomcat8" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/tomcat8" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4596" ); script_set_attribute( attribute:"solution", value: "Upgrade the tomcat8 packages. For the oldstable distribution (stretch), these problems have been fixed in version 8.5.50-0+deb9u1. This update also requires an updated version of tomcat-native which has been updated to 1.2.21-1~deb9u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat8"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/16"); script_set_attribute(attribute:"patch_publication_date", value:"2019/12/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"9.0", prefix:"libservlet3.1-java", reference:"8.5.50-0+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libservlet3.1-java-doc", reference:"8.5.50-0+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libtomcat8-embed-java", reference:"8.5.50-0+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"libtomcat8-java", reference:"8.5.50-0+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"tomcat8", reference:"8.5.50-0+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"tomcat8-admin", reference:"8.5.50-0+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"tomcat8-common", reference:"8.5.50-0+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"tomcat8-docs", reference:"8.5.50-0+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"tomcat8-examples", reference:"8.5.50-0+deb9u1")) flag++; if (deb_check(release:"9.0", prefix:"tomcat8-user", reference:"8.5.50-0+deb9u1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Web Servers NASL id TOMCAT_9_0_30.NASL description The version of Tomcat installed on the remote host is prior to 9.0.30. It is, therefore, affected by a privilege escalation vulnerability as referenced in the last seen 2020-03-18 modified 2019-12-27 plugin id 132419 published 2019-12-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132419 title Apache Tomcat 9.0.0.M1 < 9.0.30 Privilege Escalation Vulnerability code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(132419); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/11"); script_cve_id("CVE-2019-17563"); script_name(english:"Apache Tomcat 9.0.0.M1 < 9.0.30 Privilege Escalation Vulnerability"); script_set_attribute(attribute:"synopsis", value: "The remote Apache Tomcat server is affected by a privilege escalation vulnerability"); script_set_attribute(attribute:"description", value: "The version of Tomcat installed on the remote host is prior to 9.0.30. It is, therefore, affected by a privilege escalation vulnerability as referenced in the 'Fixed in Apache Tomcat 9.0.30' advisory. - When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. (CVE-2019-17563) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://github.com/apache/tomcat/commit/1ecba14"); # https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.30 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ba131b16"); script_set_attribute(attribute:"solution", value: "Upgrade to Apache Tomcat version 9.0.30 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-17563"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/12/12"); script_set_attribute(attribute:"patch_publication_date", value:"2019/12/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/27"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat"); script_set_attribute(attribute:"agent", value:"all"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("tomcat_error_version.nasl", "tomcat_win_installed.nbin", "apache_tomcat_nix_installed.nbin"); script_require_keys("installed_sw/Apache Tomcat"); exit(0); } include('tomcat_version.inc'); tomcat_check_version(fixed:'9.0.30', min:'9.0.0.M1', severity:SECURITY_WARNING, granularity_regex:"^9(\.0)?$");NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-3_0-0051_APACHE.NASL description An update of the apache package has been released. last seen 2020-03-17 modified 2020-01-23 plugin id 133209 published 2020-01-23 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133209 title Photon OS 3.0: Apache PHSA-2020-3.0-0051 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-0861.NASL description The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:0861 advisory. - tomcat: XSS in SSI printenv (CVE-2019-0221) - tomcat: local privilege escalation (CVE-2019-12418) - tomcat: session fixation when using FORM authentication (CVE-2019-17563) - tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability (CVE-2020-1938) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-04-23 modified 2020-03-18 plugin id 134668 published 2020-03-18 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134668 title RHEL 6 / 7 : Red Hat JBoss Web Server 3.1 Service Pack 8 (RHSA-2020:0861) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4251-1.NASL description It was discovered that Tomcat incorrectly handled the RMI registry when configured with the JMX Remote Lifecycle Listener. A local attacker could possibly use this issue to obtain credentials and gain complete control over the Tomcat instance. (CVE-2019-12418) It was discovered that Tomcat incorrectly handled FORM authentication. A remote attacker could possibly use this issue to perform a session fixation attack. (CVE-2019-17563). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 133290 published 2020-01-28 reporter Ubuntu Security Notice (C) 2020 Canonical, Inc. / NASL script (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133290 title Ubuntu 16.04 LTS : tomcat8 vulnerabilities (USN-4251-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2020-38.NASL description This update for tomcat to version 9.0.30 fixes the following issues : Security issue fixed : - CVE-2019-12418: Fixed a local privilege escalation through by manipulating the RMI registry and performing a man-in-the-middle attack (bsc#1159723). - CVE-2019-17563: Fixed a session fixation attack when using FORM authentication (bsc#1159729). This update was imported from the SUSE:SLE-15-SP1:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 132913 published 2020-01-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132913 title openSUSE Security Update : tomcat (openSUSE-2020-38) NASL family Web Servers NASL id TOMCAT_8_5_50.NASL description The version of Tomcat installed on the remote host is prior to 8.5.50. It is, therefore, affected by a privilege escalation vulnerability as referenced in the last seen 2020-03-18 modified 2019-12-27 plugin id 132418 published 2019-12-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132418 title Apache Tomcat 8.5.0 < 8.5.50 Privilege Escalation Vulnerability NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4680.NASL description Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling, code execution in the AJP connector (disabled by default in Debian) or a man-in-the-middle attack against the JMX interface. last seen 2020-05-12 modified 2020-05-07 plugin id 136376 published 2020-05-07 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136376 title Debian DSA-4680-1 : tomcat9 - security update NASL family Databases NASL id ORACLE_RDBMS_CPU_APR_2020.NASL description The remote Oracle Database Server is missing the April 2020 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities: - Vulnerability in the Oracle Multimedia component of Oracle Database Server. The supported version that is affected is 12.1.0.2. Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Oracle Multimedia. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Multimedia (CVE-2016-10251). - Vulnerability in the Oracle Application Express component of Oracle Database Server. The supported version that is affected is Prior to 19.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Application Express. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express accessible data as well as unauthorized read access to a subset of Oracle Application Express accessible data (CVE-2016-7103). - Vulnerability in the WLM (Apache Tomcat) component of Oracle Database Server. Supported versions that are affected are 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise WLM (Apache Tomcat). Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of WLM (Apache Tomcat) (CVE-2019-17563). It is also affected by additional vulnerabilities; see the vendor advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-02 modified 2020-04-15 plugin id 135585 published 2020-04-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135585 title Oracle Database Server Multiple Vulnerabilities (Apr 2020 CPU) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2020-1337.NASL description When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.(CVE-2019-12418) When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.(CVE-2019-17563) last seen 2020-06-01 modified 2020-06-02 plugin id 133007 published 2020-01-17 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133007 title Amazon Linux AMI : tomcat8 (ALAS-2020-1337) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-2_0-0200_APACHE.NASL description An update of the apache package has been released. last seen 2020-03-17 modified 2020-01-16 plugin id 132988 published 2020-01-16 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132988 title Photon OS 2.0: Apache PHSA-2020-2.0-0200 NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-202003-43.NASL description The remote host is affected by the vulnerability described in GLSA-202003-43 (Apache Tomcat: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Apache Tomcat. Please review the CVE identifiers referenced below for details. Impact : An attacker could possibly smuggle HTTP requests or execute arbitrary code. Workaround : There is no known workaround at this time. last seen 2020-03-26 modified 2020-03-20 plugin id 134729 published 2020-03-20 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134729 title GLSA-202003-43 : Apache Tomcat: Multiple vulnerabilities NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1182.NASL description According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.(CVE-2019-12418) - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.(CVE-2019-17563) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-03 modified 2020-02-25 plugin id 134016 published 2020-02-25 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134016 title EulerOS 2.0 SP8 : tomcat (EulerOS-SA-2020-1182) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1520.NASL description The remote Redhat Enterprise Linux 6 / 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1520 advisory. - tomcat: local privilege escalation (CVE-2019-12418) - tomcat: session fixation when using FORM authentication (CVE-2019-17563) - tomcat: Regression in handling of Transfer-Encoding header allows for HTTP request smuggling (CVE-2019-17569) - tomcat: Mishandling of Transfer-Encoding header allows for HTTP request smuggling (CVE-2020-1935) - tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability (CVE-2020-1938) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-04-30 modified 2020-04-21 plugin id 135773 published 2020-04-21 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135773 title RHEL 6 / 7 / 8 : Red Hat JBoss Web Server 5.3 release (Important) (RHSA-2020:1520) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2209.NASL description Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine. WARNING: The fix for CVE-2020-1938 may disrupt services that rely on a working AJP configuration. The option secretRequired defaults to true now. You should define a secret in your server.xml or you can revert back by setting secretRequired to false. CVE-2019-17563 When using FORM authentication with Apache Tomcat there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. CVE-2020-1935 In Apache Tomcat the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. CVE-2020-1938 When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. Previously Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. . Note that Debian already disabled the AJP connector by default. Mitigation is only required if the AJP port was made accessible to untrusted users. CVE-2020-9484 When using Apache Tomcat and an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter= last seen 2020-06-06 modified 2020-05-29 plugin id 136951 published 2020-05-29 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136951 title Debian DLA-2209-1 : tomcat8 security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1136.NASL description According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.(CVE-2019-12418) - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.(CVE-2019-17563) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2020-02-24 plugin id 133937 published 2020-02-24 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133937 title EulerOS 2.0 SP5 : tomcat (EulerOS-SA-2020-1136) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2077.NASL description Two security vulnerabilities have been fixed in the Tomcat servlet and JSP engine. CVE-2019-12418 When Apache Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. CVE-2019-17563 When using FORM authentication with Apache Tomcat there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 133276 published 2020-01-28 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133276 title Debian DLA-2077-1 : tomcat7 security update
Redhat
| rpms |
|
References
- https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690cdf9662a884bbd%40%3Cannounce.tomcat.apache.org%3E
- https://www.debian.org/security/2019/dsa-4596
- https://seclists.org/bugtraq/2019/Dec/43
- https://security.netapp.com/advisory/ntap-20200107-0001/
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html
- https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html
- https://usn.ubuntu.com/4251-1/
- https://security.gentoo.org/glsa/202003-43
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.debian.org/security/2020/dsa-4680
- https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e%40%3Cissues.cxf.apache.org%3E