Lucene search

IBM3C11B4BD0B55A172B45C8E03D5AB2A1C7518A10AD88EEF28C27F3CAC22D50821

HistoryJul 24, 2020 - 10:19 p.m.

Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM)(CVE-2019-12418, CVE-2019-17563)

2020-07-2422:19:08

www.ibm.com

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

JSON

Summary

Multiple vulnerabilities in Open Source Apache Tomcat reported by The Apache Software Foundation affect IBM Tivoli Application Dependency Discovery Manager

Vulnerability Details

CVEID:CVE-2019-12418
**DESCRIPTION:**Apache Tomcat could allow a local attacker to gain elevated privileges on the system, caused by a flaw when configured with the JMX Remote Lifecycle Listener. By using man-in-the-middle attack techniques, an attacker could exploit this vulnerability to capture user names and passwords used to access the JMX interface and gain elevated privileges.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173626 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2019-17563
**DESCRIPTION:**Apache Tomcat could allow a local attacker to hijack a user’s session. By using the FORM authentication function, an attacker could exploit this vulnerability to gain access to another user’s session.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173558 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

IBM Tivoli Application Dependency Discovery Manager - 7.2.2 Marked as Invalid

Affected Product(s)	Version(s)
IBM Tivoli Application Dependency Discovery Manager	7.3.0

Note:

TADDM 7.3.0.1 - 7.3.0.7 - not affected - as they use WebSphere Liberty Profile.

Remediation/Fixes

Below eFix is prepared on top of the latest 7.3.0.0 (7.3.0.1 - 7.3.0.7 not affected)

Fix	VRMF	APAR	How to acquire fix

efix_tomcat7099_201411291020.zip

| 7.3.0.0| None| Download eFix

Please get familiar with eFix readme in etc/<efix_name>_readme.txt
Note that the eFix requires manual deletion of the external/apache-tomcat directory.

Workarounds and Mitigations

The above eFix is applicable only to 7.3.0.0 and can be downloaded and applied directly.

Note :

TADDM 7.3.0.1 - 7.3.0.7 are not affected as they use WebSphere Liberty Profile.

CPENameOperatorVersion
tivoli application dependency discovery managereq7.3.0.0

CPE	Name	Operator	Version
	tivoli application dependency discovery manager	eq	7.3.0.0

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

JSON

Related for 3C11B4BD0B55A172B45C8E03D5AB2A1C7518A10AD88EEF28C27F3CAC22D50821