CVE-2019-12418
Man-in-the-Middle vulnerability in tomcat-embed-core (Maven)
What is CVE-2019-12418 About?
This vulnerability in Apache Tomcat's JMX Remote Lifecycle Listener allows a local attacker to perform a Man-in-the-Middle (MITM) attack on the RMI registry. This enables credential capture and subsequent full control over the Tomcat instance. Exploitation is local and requires specific configuration settings.
Affected Software
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0, <9.0.29
- >8.0.0, <8.5.49
- <7.0.99
Technical Details
Apache Tomcat versions 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, and 7.0.0 to 7.0.97 are vulnerable when configured with the JMX Remote Lifecycle Listener. A local attacker, without direct access to the Tomcat process or configuration files, can manipulate the RMI registry. This manipulation allows the attacker to intercept and perform a Man-in-the-Middle attack on the communication channel used for JMX access. Consequently, the attacker can capture usernames and passwords transmitted during JMX authentication. With these stolen credentials, the attacker can then authenticate to the JMX interface and gain complete administrative control over the affected Tomcat instance.
What is the Impact of CVE-2019-12418?
Successful exploitation may allow attackers to gain full administrative control over the Tomcat instance, leading to data compromise, service disruption, or further system compromise.
What is the Exploitability of CVE-2019-12418?
Exploitation requires that Apache Tomcat be configured with the JMX Remote Lifecycle Listener. The attacker must have local access to the system where Tomcat is running, but they do not need direct access to the Tomcat process or its configuration files. There are no authentication requirements to initiate the MITM attack on the RMI registry itself, but the goal is to capture credentials for authenticated JMX access. The attack is local. Special conditions include the specific Tomcat versions and the enabled JMX Listener. The risk increases for systems where local access is possible and JMX remote management is enabled without proper security measures.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-12418?
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- <7.0.99 → Upgrade to 7.0.99
- org.apache.tomcat.embed:tomcat-embed-core
- >8.0.0, <8.5.49 → Upgrade to 8.5.49
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0, <9.0.29 → Upgrade to 9.0.29
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://support.f5.com/csp/article/K10107360?utm_source=f5support&%3Butm_medium=RSS
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
- https://www.debian.org/security/2019/dsa-4596
- https://seclists.org/bugtraq/2019/Dec/43
- https://security.netapp.com/advisory/ntap-20200107-0001/
- https://security.gentoo.org/glsa/202003-43
- https://lists.debian.org/debian-lts-announce/2020/03/msg00029.html
- https://lists.apache.org/thread.html/43530b91506e2e0c11cfbe691173f5df8c48f51b98262426d7493b67%40%3Cannounce.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html
- https://www.debian.org/security/2020/dsa-4680
What are Similar Vulnerabilities to CVE-2019-12418?
Similar Vulnerabilities: CVE-2020-1935 , CVE-2020-13935 , CVE-2021-33036 , CVE-2022-42289 , CVE-2023-38148
