Lucene search

AmazonALAS2-2023-2047

HistoryMay 11, 2023 - 5:49 p.m.

Important: tomcat

2023-05-1117:49:00

alas.aws.amazon.com

tomcat

jmx

remote lifecycle listener

form authentication

websocket

payload length

privilege escalation

session fixation

denial of service

security vulnerability

5.1 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8 High

AI Score

Confidence

High

0.148 Low

EPSS

Percentile

95.8%

JSON

Issue Overview:

A privilege escalation flaw was found in Tomcat when the JMX Remote Lifecycle Listener was enabled. A local attacker without access to the Tomcat process or configuration files could be able to manipulate the RMI registry to perform a man-in-the-middle attack. The attacker could then capture user names and passwords used to access the JMX interface and gain complete control over the Tomcat instance. (CVE-2019-12418)

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. (CVE-2019-17563)

A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-13935)

Affected Packages:

tomcat

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update tomcat to update your system.

New Packages:

noarch:  
    tomcat-7.0.76-10.amzn2.0.4.noarch  
    tomcat-admin-webapps-7.0.76-10.amzn2.0.4.noarch  
    tomcat-docs-webapp-7.0.76-10.amzn2.0.4.noarch  
    tomcat-javadoc-7.0.76-10.amzn2.0.4.noarch  
    tomcat-jsvc-7.0.76-10.amzn2.0.4.noarch  
    tomcat-jsp-2.2-api-7.0.76-10.amzn2.0.4.noarch  
    tomcat-lib-7.0.76-10.amzn2.0.4.noarch  
    tomcat-servlet-3.0-api-7.0.76-10.amzn2.0.4.noarch  
    tomcat-el-2.2-api-7.0.76-10.amzn2.0.4.noarch  
    tomcat-webapps-7.0.76-10.amzn2.0.4.noarch  
  
src:  
    tomcat-7.0.76-10.amzn2.0.4.src

Additional References

Red Hat: CVE-2019-12418, CVE-2019-17563, CVE-2020-13935

Mitre: CVE-2019-12418, CVE-2019-17563, CVE-2020-13935

OSVersionArchitecturePackageVersionFilename
Amazon Linux2noarchtomcat< 7.0.76-10.amzn2.0.4tomcat-7.0.76-10.amzn2.0.4.noarch.rpm
Amazon Linux2noarchtomcat-admin-webapps< 7.0.76-10.amzn2.0.4tomcat-admin-webapps-7.0.76-10.amzn2.0.4.noarch.rpm
Amazon Linux2noarchtomcat-docs-webapp< 7.0.76-10.amzn2.0.4tomcat-docs-webapp-7.0.76-10.amzn2.0.4.noarch.rpm
Amazon Linux2noarchtomcat-javadoc< 7.0.76-10.amzn2.0.4tomcat-javadoc-7.0.76-10.amzn2.0.4.noarch.rpm
Amazon Linux2noarchtomcat-jsvc< 7.0.76-10.amzn2.0.4tomcat-jsvc-7.0.76-10.amzn2.0.4.noarch.rpm
Amazon Linux2noarchtomcat-jsp-2.2-api< 7.0.76-10.amzn2.0.4tomcat-jsp-2.2-api-7.0.76-10.amzn2.0.4.noarch.rpm
Amazon Linux2noarchtomcat-lib< 7.0.76-10.amzn2.0.4tomcat-lib-7.0.76-10.amzn2.0.4.noarch.rpm
Amazon Linux2noarchtomcat-servlet-3.0-api< 7.0.76-10.amzn2.0.4tomcat-servlet-3.0-api-7.0.76-10.amzn2.0.4.noarch.rpm
Amazon Linux2noarchtomcat-el-2.2-api< 7.0.76-10.amzn2.0.4tomcat-el-2.2-api-7.0.76-10.amzn2.0.4.noarch.rpm
Amazon Linux2noarchtomcat-webapps< 7.0.76-10.amzn2.0.4tomcat-webapps-7.0.76-10.amzn2.0.4.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	2	noarch	tomcat	< 7.0.76-10.amzn2.0.4	tomcat-7.0.76-10.amzn2.0.4.noarch.rpm
Amazon Linux	2	noarch	tomcat-admin-webapps	< 7.0.76-10.amzn2.0.4	tomcat-admin-webapps-7.0.76-10.amzn2.0.4.noarch.rpm
Amazon Linux	2	noarch	tomcat-docs-webapp	< 7.0.76-10.amzn2.0.4	tomcat-docs-webapp-7.0.76-10.amzn2.0.4.noarch.rpm
Amazon Linux	2	noarch	tomcat-javadoc	< 7.0.76-10.amzn2.0.4	tomcat-javadoc-7.0.76-10.amzn2.0.4.noarch.rpm
Amazon Linux	2	noarch	tomcat-jsvc	< 7.0.76-10.amzn2.0.4	tomcat-jsvc-7.0.76-10.amzn2.0.4.noarch.rpm
Amazon Linux	2	noarch	tomcat-jsp-2.2-api	< 7.0.76-10.amzn2.0.4	tomcat-jsp-2.2-api-7.0.76-10.amzn2.0.4.noarch.rpm
Amazon Linux	2	noarch	tomcat-lib	< 7.0.76-10.amzn2.0.4	tomcat-lib-7.0.76-10.amzn2.0.4.noarch.rpm
Amazon Linux	2	noarch	tomcat-servlet-3.0-api	< 7.0.76-10.amzn2.0.4	tomcat-servlet-3.0-api-7.0.76-10.amzn2.0.4.noarch.rpm
Amazon Linux	2	noarch	tomcat-el-2.2-api	< 7.0.76-10.amzn2.0.4	tomcat-el-2.2-api-7.0.76-10.amzn2.0.4.noarch.rpm
Amazon Linux	2	noarch	tomcat-webapps	< 7.0.76-10.amzn2.0.4	tomcat-webapps-7.0.76-10.amzn2.0.4.noarch.rpm