Main Vulnerability Database SB2020011519

SB2020011519 - Amazon Linux AMI update for tomcat8

Published: January 15, 2020

Security Bulletin ID SB2020011519

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-12418)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to the local user without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface.

Successful vulnerability exploitation requires that Apache Tomcat is configured with the JMX Remote Lifecycle Listener.

2) Session Fixation (CVE-ID: CVE-2019-17563)

The vulnerability allows a remote attacker to perform a session fixation attack.

The vulnerability exists due to a race condition when FORM authentication is used in Apache Tomcat. A remote attacker can use a narrow window to perform a session fixation attack.

Remediation

Install update from vendor's website.

References

https://alas.aws.amazon.com/ALAS-2020-1337.html