New vulnerability found in Apache Tomcat

Vulnerability testing specialists have revealed the discovery of a new vulnerability in Apache Tomcat. When using Authentication with Apache Tomcat, between versions 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98, a narrow window is presented where a threat actor could deploy a session fix attack.

At first the researchers considered this window
too narrow to function as an exploit in practice, however, it was decided to
report this scenario as a security flaw, tracked as CVE-2019-17563.

In the vulnerability testing expert report, the
conjunction of various circumstances allows a race condition to be presented in
Tomcat, allowing for session fixing and potentially allowing hackers to perform
a local attack to access a user’s session with administrator privileges.

For more details, security firm support five experts have prepared a chart where administrators can see if their products or versions have already been evaluated for this flaw. To determine whether your version is vulnerable, in addition to whether components are affected by the vulnerability, and to learn about the versions, point versions, or patches that address the vulnerability, see the following table:

In the event that you run an affected version,
vulnerability testing specialists at the International Institute of Cyber
Security (IICS) recommend correcting the failure by upgrading to one of the
versions that have the solutions. If the table shows only a version earlier
than the one you are currently running, or a vulnerable version is not
mentioned, there is no update at this time.  

For more information about recently found
security flaws, exploits, cyberattacks and malware analysis, you can visit the
official website of the International Institute of Cyber Security (IICS),
besides the official communication platforms of tech companies currently
dealing with information security incidents.  

You Might Also Like