When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
Configuration 6 (hide)
|
History
07 Nov 2023, 03:03
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
18 Apr 2022, 15:47
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:workload_manager:18c:*:*:*:*:*:*:* cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:* cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:a:oracle:workload_manager:19c:*:*:*:*:*:*:* cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:* cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:* cpe:2.3:a:oracle:workload_manager:12.2.0.1:*:*:*:*:*:*:* |
|
CWE | NVD-CWE-noinfo | |
First Time |
Netapp oncommand System Manager
Oracle Opensuse leap Canonical ubuntu Linux Netapp Oracle workload Manager Canonical Opensuse |
|
References | (MLIST) https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (SUSE) http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html - Mailing List, Third Party Advisory | |
References | (CONFIRM) https://security.netapp.com/advisory/ntap-20200107-0001/ - Third Party Advisory | |
References | (GENTOO) https://security.gentoo.org/glsa/202003-43 - Third Party Advisory | |
References | (CONFIRM) https://support.f5.com/csp/article/K10107360?utm_source=f5support&utm_medium=RSS - Third Party Advisory | |
References | (UBUNTU) https://usn.ubuntu.com/4251-1/ - Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E - Mailing List, Patch, Vendor Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2020/03/msg00029.html - Mailing List, Third Party Advisory | |
References | (DEBIAN) https://www.debian.org/security/2020/dsa-4680 - Third Party Advisory | |
References | (MLIST) https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html - Mailing List, Third Party Advisory | |
References | (N/A) https://www.oracle.com/security-alerts/cpuapr2020.html - Patch, Third Party Advisory | |
References | (MLIST) https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E - Mailing List, Patch, Vendor Advisory |
Information
Published : 2019-12-23 18:15
Updated : 2023-12-10 13:13
NVD link : CVE-2019-12418
Mitre link : CVE-2019-12418
CVE.ORG link : CVE-2019-12418
JSON object : View
Products Affected
apache
- tomcat
netapp
- oncommand_system_manager
opensuse
- leap
oracle
- workload_manager
debian
- debian_linux
canonical
- ubuntu_linux
CWE