CVE-2019-17563
session fixation vulnerability in tomcat-embed-core (Maven)
What is CVE-2019-17563 About?
Apache Tomcat versions 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49, and 7.0.0 to 7.0.98 are vulnerable to a session fixation attack when using FORM authentication. While the exploitation window is narrow, it could theoretically allow an attacker to hijack a user's session. The practical exploitability is considered low due to the narrow timing window.
Affected Software
- org.apache.tomcat.embed:tomcat-embed-core
- >8.0.0, <8.5.50
- <7.0.99
- >9.0.0, <9.0.30
Technical Details
This vulnerability affects Apache Tomcat when configured to use FORM authentication. A 'session fixation' attack occurs when an attacker can force a user's session ID to be a pre-determined value, or capture a session ID before the user logs in. In this specific Tomcat vulnerability, there is a narrow time window where an attacker could potentially establish an initial session with the server, obtain a session ID, and then induce a legitimate user to authenticate using that same pre-determined or captured session ID. If the server fails to invalidate the old session ID and generate a new one upon successful authentication, the attacker's pre-existing session becomes linked to the legitimate user's authenticated state. This would then grant the attacker unauthorized access to the user's account without needing their credentials, as long as the legitimate user logs in within that narrow window.
What is the Impact of CVE-2019-17563?
Successful exploitation may allow attackers to hijack a legitimate user's session, leading to unauthorized access to the user's account and performing actions on their behalf within the application.
What is the Exploitability of CVE-2019-17563?
Exploitation of this session fixation vulnerability is considered challenging due to the 'narrow window' for an effective attack. An attacker would need to obtain a session ID, then somehow trick a legitimate user into authenticating with that specific, pre-assigned, or captured session ID before the server generates a new one upon authentication. This often involves social engineering or crafting specific URLs. No specific authentication or high privileges are required on the attacker's part to initiate the session, but user interaction and precise timing are critical. The attack is remote. The primary constraint is the brief time window during which the pre-authenticated session ID remains valid and can be adopted by a legitimate user. Due to these complexities, the likelihood of practical exploitation is low.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-17563?
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- <7.0.99 → Upgrade to 7.0.99
- org.apache.tomcat.embed:tomcat-embed-core
- >8.0.0, <8.5.50 → Upgrade to 8.5.50
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0, <9.0.30 → Upgrade to 9.0.30
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/apache/tomcat
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
- https://www.debian.org/security/2019/dsa-4596
- https://seclists.org/bugtraq/2019/Dec/43
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://osv.dev/vulnerability/GHSA-9xcj-c8cr-8c3c
- https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
- https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e%40%3Cissues.cxf.apache.org%3E
- https://security.netapp.com/advisory/ntap-20200107-0001/
- https://security.gentoo.org/glsa/202003-43
What are Similar Vulnerabilities to CVE-2019-17563?
Similar Vulnerabilities: CVE-2011-3190 , CVE-2014-0417 , CVE-2017-7679 , CVE-2018-1250 , CVE-2020-9483
