UBUNTU-CVE-2019-12418

Source
https://ubuntu.com/security/CVE-2019-12418
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-12418.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2019-12418
Related
Published
2019-12-23T18:15:00Z
Modified
2024-12-18T16:41:27Z
Severity
  • 7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.

References

Affected packages

Ubuntu:Pro:14.04:LTS / tomcat7

Package

Name
tomcat7
Purl
pkg:deb/ubuntu/tomcat7?arch=src?distro=esm-infra-legacy/trusty

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*

7.0.42-1
7.0.47-1
7.0.50-1
7.0.52-1
7.0.52-1ubuntu0.1
7.0.52-1ubuntu0.3
7.0.52-1ubuntu0.6
7.0.52-1ubuntu0.7
7.0.52-1ubuntu0.8
7.0.52-1ubuntu0.9
7.0.52-1ubuntu0.10
7.0.52-1ubuntu0.11
7.0.52-1ubuntu0.13
7.0.52-1ubuntu0.14
7.0.52-1ubuntu0.15
7.0.52-1ubuntu0.16
7.0.52-1ubuntu0.16+esm1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:16.04:LTS / tomcat8

Package

Name
tomcat8
Purl
pkg:deb/ubuntu/tomcat8?arch=src?distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
8.0.32-1ubuntu1.11

Affected versions

8.*

8.0.26-1
8.0.28-1
8.0.30-1
8.0.32-1
8.0.32-1ubuntu1
8.0.32-1ubuntu1.1
8.0.32-1ubuntu1.2
8.0.32-1ubuntu1.3
8.0.32-1ubuntu1.4
8.0.32-1ubuntu1.5
8.0.32-1ubuntu1.6
8.0.32-1ubuntu1.7
8.0.32-1ubuntu1.8
8.0.32-1ubuntu1.9
8.0.32-1ubuntu1.10

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "8.0.32-1ubuntu1.11",
            "binary_name": "libservlet3.1-java"
        },
        {
            "binary_version": "8.0.32-1ubuntu1.11",
            "binary_name": "libservlet3.1-java-doc"
        },
        {
            "binary_version": "8.0.32-1ubuntu1.11",
            "binary_name": "libtomcat8-java"
        },
        {
            "binary_version": "8.0.32-1ubuntu1.11",
            "binary_name": "tomcat8"
        },
        {
            "binary_version": "8.0.32-1ubuntu1.11",
            "binary_name": "tomcat8-admin"
        },
        {
            "binary_version": "8.0.32-1ubuntu1.11",
            "binary_name": "tomcat8-common"
        },
        {
            "binary_version": "8.0.32-1ubuntu1.11",
            "binary_name": "tomcat8-docs"
        },
        {
            "binary_version": "8.0.32-1ubuntu1.11",
            "binary_name": "tomcat8-examples"
        },
        {
            "binary_version": "8.0.32-1ubuntu1.11",
            "binary_name": "tomcat8-user"
        }
    ]
}

Ubuntu:Pro:16.04:LTS / tomcat7

Package

Name
tomcat7
Purl
pkg:deb/ubuntu/tomcat7?arch=src?distro=esm-apps/xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*

7.0.64-1
7.0.68-1
7.0.68-1ubuntu0.1
7.0.68-1ubuntu0.3
7.0.68-1ubuntu0.4
7.0.68-1ubuntu0.4+esm1
7.0.68-1ubuntu0.4+esm2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / tomcat7

Package

Name
tomcat7
Purl
pkg:deb/ubuntu/tomcat7?arch=src?distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

7.*

7.0.78-1
7.0.78-1ubuntu0.1~esm1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / tomcat8

Package

Name
tomcat8
Purl
pkg:deb/ubuntu/tomcat8?arch=src?distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

8.*

8.5.21-1ubuntu1
8.5.29-1
8.5.30-1
8.5.30-1ubuntu1
8.5.30-1ubuntu1.2
8.5.30-1ubuntu1.3
8.5.30-1ubuntu1.4
8.5.39-1ubuntu1~18.04.1
8.5.39-1ubuntu1~18.04.2
8.5.39-1ubuntu1~18.04.3
8.5.39-1ubuntu1~18.04.3+esm1
8.5.39-1ubuntu1~18.04.3+esm2
8.5.39-1ubuntu1~18.04.3+esm3

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / tomcat9

Package

Name
tomcat9
Purl
pkg:deb/ubuntu/tomcat9?arch=src?distro=esm-apps/bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.0.16-3~18.04.1
9.0.16-3ubuntu0.18.04.1
9.0.16-3ubuntu0.18.04.2
9.0.16-3ubuntu0.18.04.2+esm1
9.0.16-3ubuntu0.18.04.2+esm2
9.0.16-3ubuntu0.18.04.2+esm3
9.0.16-3ubuntu0.18.04.2+esm4

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / tomcat9

Package

Name
tomcat9
Purl
pkg:deb/ubuntu/tomcat9?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1

Affected versions

9.*

9.0.24-1
9.0.27-1

Ecosystem specific

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "9.0.31-1",
            "binary_name": "libtomcat9-embed-java"
        },
        {
            "binary_version": "9.0.31-1",
            "binary_name": "libtomcat9-java"
        },
        {
            "binary_version": "9.0.31-1",
            "binary_name": "tomcat9"
        },
        {
            "binary_version": "9.0.31-1",
            "binary_name": "tomcat9-admin"
        },
        {
            "binary_version": "9.0.31-1",
            "binary_name": "tomcat9-common"
        },
        {
            "binary_version": "9.0.31-1",
            "binary_name": "tomcat9-docs"
        },
        {
            "binary_version": "9.0.31-1",
            "binary_name": "tomcat9-examples"
        },
        {
            "binary_version": "9.0.31-1",
            "binary_name": "tomcat9-user"
        }
    ]
}