408c4e8c446dJRASERVER-70487

HistoryJan 15, 2020 - 3:29 p.m.

Upgrade Tomcat to 8.5.50 to fix CVE-2019-17563 & CVE-2019-12418

2020-01-1515:29:54

408c4e8c446d

jira.atlassian.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.974 High

EPSS

Percentile

99.9%

JSON

h3. Issue Summary

The recently disclosed vulnerabilities regarding Apache Tomcat

[CVE-2019-12418|https://vulners.com/cve/CVE-2019-12418]
[CVE-2019-17563|https://vulners.com/cve/CVE-2019-17563]

Which affects the following versions:

Apache Tomcat 8.x from 8.5.0 before 8.5.50

We should bundle a more recent version of Tomcat so that Jira is not affected by this in the future.
h3. Steps to Reproduce

Not applicable.

h3. Expected Results

Not applicable.

h3. Actual Results

Not applicable.

h3. Workaround

Manually upgrade Tomcat according to our [documentation|https://confluence.atlassian.com/jirakb/how-to-upgrade-apache-tomcat-version-used-by-jira-879957866.html].

CPENameOperatorVersion
jira data centerle8.6.1
jira data centerlt8.9.0
jira data centerlt8.5.9

Name	Operator	Version
jira data center	le	8.6.1
jira data center	lt	8.9.0
jira data center	lt	8.5.9

atlassian 4

nessus 49

redhat 9

debian 7

osv 18

openvas 25

amazon 7

ibm 11

photon 6

suse 2

thn 1

tomcat 6

kaspersky 3

mageia 2

gentoo 1

ubuntu 1

symantec 3

hackerone 1

github 4

veracode 4

redhatcve 4

prion 5

cve 4

f5 4

ubuntucve 4

debiancve 4

cgr 3

oraclelinux 2

centos 1

githubexploit 2

threatpost 1

qualysblog 1

atlassian

Upgrade Tomcat to 8.5.50 to fix CVE-2019-17563 & CVE-2019-12418

2020-01-15 15:29:54

The version of Apache Tomcat included with Jira Server is affected by CVE-2020-1935, CVE-2020-1938, CVE-2019-17569

2020-04-30 09:04:13

The version of Apache Tomcat included with Jira Server is affected by CVE-2020-1935, CVE-2020-1938, CVE-2019-17569

2020-04-30 09:04:13

nessus

RHEL 6 / 8 : Red Hat JBoss Web Server 5.3 release (Important) (RHSA-2020:1520)

2020-04-21 00:00:00

Debian DSA-4680-1 : tomcat9 - security update

2020-05-07 00:00:00

Photon OS 3.0: Apache PHSA-2020-3.0-0069

2020-03-24 00:00:00

redhat

(RHSA-2020:1521) Important: Red Hat JBoss Web Server 5.3 release

2020-04-21 10:36:39

(RHSA-2020:1520) Important: Red Hat JBoss Web Server 5.3 release

2020-04-21 10:36:37

(RHSA-2020:0861) Important: Red Hat JBoss Web Server 3.1 Service Pack 8 security update

2020-03-17 12:51:11

debian

[SECURITY] [DSA 4680-1] tomcat9 security update

2020-05-06 20:58:40

[SECURITY] [DLA 2133-1] tomcat7 security update

2020-03-04 18:14:50

[SECURITY] [DSA 4673-1] tomcat8 security update

2020-05-03 18:29:38

osv

tomcat9 - security update

2020-05-06 00:00:00

tomcat7 - security update

2020-03-04 00:00:00

tomcat8 - security update

2020-05-03 00:00:00

openvas

Debian: Security Advisory for tomcat9 (DSA-4680-1)

2020-05-08 00:00:00

openSUSE: Security Advisory for tomcat (openSUSE-SU-2020:0345-1)

2020-03-16 00:00:00

Huawei EulerOS: Security Advisory for tomcat (EulerOS-SA-2020-1438)

2020-04-16 00:00:00

amazon

Important: tomcat8

2020-03-09 19:21:00

Important: tomcat7

2020-03-09 19:20:00

Medium: tomcat8

2020-01-14 18:18:00

ibm

Security Bulletin: Vulnerabilities in Apache Tomcat affects IBM Platform Symphony

2020-04-06 03:58:33

Security Bulletin: CVE-2019-17569, CVE-2020-1935 HTTP Request Smuggling if Tomcat was located behind a reverse proxy

2020-11-05 19:49:28

Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Apache Tomcat vulnerabilities.

2020-05-10 17:02:38

photon

Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2020-1.0-0285

2020-03-20 00:00:00

Critical Photon OS Security Update - PHSA-2020-0218

2020-03-09 00:00:00

Critical Photon OS Security Update - PHSA-2020-0285

2020-03-09 00:00:00

suse

Security update for tomcat (important)

2020-03-15 00:00:00

Security update for tomcat (important)

2020-01-14 00:00:00

thn

GhostCat: New High-Risk Vulnerability Affects Servers Running Apache Tomcat

2020-02-28 13:00:00

tomcat

Fixed in Apache Tomcat 7.0.100

2020-02-14 00:00:00

Fixed in Apache Tomcat 9.0.31

2020-02-11 00:00:00

Fixed in Apache Tomcat 8.5.51

2020-02-11 00:00:00

kaspersky

KLA11679 Multiple vulnerabilities in Apache Tomcat

2020-02-24 00:00:00

KLA11626 SB vulnerability in Apache Tomcat

2019-12-12 00:00:00

KLA11627 SB vulnerability in Apache Tomcat

2019-11-21 00:00:00

mageia

Updated tomcat packages fix security vulnerabilities

2020-03-10 22:04:50

Updated tomcat packages fix security vulnerabilities

2020-01-28 10:52:40

gentoo

Apache Tomcat: Multiple vulnerabilities

2020-03-19 00:00:00

ubuntu

Tomcat vulnerabilities

2020-01-27 00:00:00

symantec

Apache Tomcat Vulnerabilities Oct 2018 – Feb 2020

2020-05-12 19:02:01

Apache Tomcat CVE-2019-17563 Session Fixation Vulnerability

2019-12-18 00:00:00

Apache Tomcat CVE-2019-12418 Local Privilege Escalation Vulnerability

2019-12-18 00:00:00

hackerone

U.S. Dept Of Defense: Tomcat examples available for public, Disclosure Apache Tomcat version, Critical/High/Medium CVE

2020-05-14 19:38:44

github

Potential HTTP request smuggling in Apache Tomcat

2020-02-28 01:10:58

In Apache Tomcat, when using FORM authentication there was a narrow window where an attacker could perform a session fixation attack

2019-12-26 18:22:26

Insufficiently Protected Credentials in Apache Tomcat

2019-12-26 18:22:36

veracode

HTTP Request Smuggling

2020-02-25 07:52:44

Session Fixation

2019-12-19 08:29:44

Privilege Escalation

2019-12-23 08:45:46

redhatcve

CVE-2019-17569

2020-02-25 07:49:47

CVE-2019-17563

2019-12-20 18:38:45

CVE-2019-12418

2020-04-09 10:13:44

prion

Input validation

2020-02-24 22:15:00

Session fixation

2019-12-23 17:15:00

Design/Logic Flaw

2019-12-23 18:15:00

cve

CVE-2019-17569

2020-02-24 22:15:00

CVE-2019-17563

2019-12-23 17:15:00

CVE-2019-12418

2019-12-23 18:15:00

K66289873 : Apache Tomcat vulnerability CVE-2019-17569

2020-03-04 00:00:00

K24551552 : Apache Tomcat vulnerability CVE-2019-17563

2020-01-23 00:00:00

K10107360 : Apache Tomcat vulnerability CVE-2019-12418

2020-01-07 00:00:00

ubuntucve

CVE-2019-17569

2020-02-24 00:00:00

CVE-2019-17563

2019-12-23 00:00:00

CVE-2019-12418

2019-12-23 00:00:00

debiancve

CVE-2019-17569

2020-02-24 22:15:00

CVE-2019-17563

2019-12-23 17:15:00

CVE-2019-12418

2019-12-23 18:15:00

cgr

CVE-2019-17563 vulnerabilities

2024-04-19 03:23:19

CVE-2019-12418 vulnerabilities

2024-04-19 03:23:19

CVE-2020-1935 vulnerabilities

2024-04-19 03:23:19

oraclelinux

tomcat security update

2020-11-12 00:00:00

tomcat6 security update

2020-03-23 00:00:00

centos

tomcat security update

2020-11-18 17:27:18

githubexploit

Exploit for Improper Privilege Management in Apache Tomcat

2020-11-14 13:55:58

Exploit for Improper Privilege Management in Apache Tomcat

2021-04-27 14:57:30

threatpost

Apache Tomcat Exploit Poised to Pounce, Stealing Files

2020-03-23 20:56:37

qualysblog

Automatically Discover, Prioritize and Remediate Apache Tomcat AJP File Inclusion Vulnerability (CVE-2020-1938) using Qualys VMDR

2020-03-06 01:11:07

Products

Security Intelligence
Non-intrusive assessment
Developers SDK
Windows scanner
Linux scanner
Perimeter control tool
MSSP

Database

Vulnerabilities
Exploits
IOC
Security News
BugBounty
Popular
Wild Exploited
Top Vulnerabilities

Tools

Linux Security Scanner
API integration
Subscriptions
Plugins
Manual Audit

Learn More

Stats
API
Docs
Api-keys
License
Pricing
Glossary
FAQ

Company

Blog
Contacts
About Us
OpenSource
EULA
Brand Guideline
Privacy Policy

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.If you are an owner of some content and want it to be removed, please contact us. Using Vulners services you are accepting Vulners services end-user license agreement

@2024 Vulners Inc

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.974 High

EPSS

Percentile

99.9%

JSON

Related for JRASERVER-70487