Multiple vulnerabilities in Open Source Apache Tomcat reported by The Apache Software Foundation affect IBM Tivoli Application Dependency Discovery Manager
CVEID:CVE-2019-12418
**DESCRIPTION:**Apache Tomcat could allow a local attacker to gain elevated privileges on the system, caused by a flaw when configured with the JMX Remote Lifecycle Listener. By using man-in-the-middle attack techniques, an attacker could exploit this vulnerability to capture user names and passwords used to access the JMX interface and gain elevated privileges.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173626 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2019-17563
**DESCRIPTION:**Apache Tomcat could allow a local attacker to hijack a user’s session. By using the FORM authentication function, an attacker could exploit this vulnerability to gain access to another user’s session.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/173558 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
IBM Tivoli Application Dependency Discovery Manager - 7.2.2 Marked as Invalid
Affected Product(s) | Version(s) |
---|---|
IBM Tivoli Application Dependency Discovery Manager | 7.3.0 |
Note:
TADDM 7.3.0.1 - 7.3.0.7 - not affected - as they use WebSphere Liberty Profile.
Below eFix is prepared on top of the latest 7.3.0.0 (7.3.0.1 - 7.3.0.7 not affected)
Fix | VRMF | APAR | How to acquire fix |
---|
efix_tomcat7099_201411291020.zip
| 7.3.0.0| None| Download eFix
Please get familiar with eFix readme in etc/<efix_name>_readme.txt
Note that the eFix requires manual deletion of the external/apache-tomcat directory.
The above eFix is applicable only to 7.3.0.0 and can be downloaded and applied directly.
Note :
TADDM 7.3.0.1 - 7.3.0.7 are not affected as they use WebSphere Liberty Profile.
CPE | Name | Operator | Version |
---|---|---|---|
tivoli application dependency discovery manager | eq | 7.3.0.0 |