Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2019-12418

When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.

Related bugs and status

CVE-2019-12418 (Candidate) is related to these bugs:

Bug #1865904: Needs updated to Tomcat 8.5.51 for GhostCat bug fixes

Summary				In	Importance	Status
	1865904	Needs updated to Tomcat 8.5.51 for GhostCat bug fixes		tomcat8 (Ubuntu)	Undecided	Triaged

See the

CVE page on Mitre.org for more details.

References

CONFIRM: https://lists.apache.o...
DEBIAN: DSA-4596
BUGTRAQ: 20191229 [SECURITY] [D...
CONFIRM: https://security.netap...
CONFIRM: https://support.f5.com...
SUSE: openSUSE-SU-2020:0038
MLIST: [debian-lts-announce] ...
UBUNTU: USN-4251-1
MLIST: [tomcat-dev] 20200203 ...
MLIST: [tomcat-dev] 20200203 ...
MLIST: [tomcat-dev] 20200213 ...
MLIST: [tomcat-dev] 20200213 ...
MLIST: [tomcat-dev] 20200213 ...
GENTOO: GLSA-202003-43
MLIST: [debian-lts-announce] ...
MISC: https://www.oracle.com...
DEBIAN: DSA-4680