Fixed in Apache Tomcat 7.0.99

Low: Session fixation CVE-2019-17563

When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

This was fixed with commit ab72a106.

This issue was reported to the Apache Tomcat Security Team by William Marlow (IBM) on 19 November 2019. The issue was made public on 18 December 2019.

Affects: 7.0.0 to 7.0.98

Note: The issue below was fixed in Apache Tomcat 7.0.98 but the release vote for the 7.0.98 release candidate did not pass. Therefore, although users must download 7.0.99 to obtain a version that includes the fix for this issue, version78.0.98 is not included in the list of affected versions.

Moderate: Local Privilege Escalation CVE-2019-12418

When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.

The JMX Remote Lifecycle Listener will be deprecated in future Tomcat releases, will be removed for Tomcat 10 and may be removed from all Tomcat releases some time after 31 December 2020.

Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.

This was fixed with commit bef3f404.

This issue was reported to the Apache Tomcat Security Team by An Trinh of Viettel Cyber Security on 10 October 2019. The issue was made public on 18 December 2019.

Affects: 7.0.0 to 7.0.97