[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 2155-1] tomcat8 security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : tomcat8
Version        : 8.0.14-1+deb8u16
CVE ID         : CVE-2019-12418


Tomcat8 is configured with the JMX Remote Lifecycle Listener, a local
attacker without access to the Tomcat process or configuration files
is able to manipulate the RMI registry to perform a man-in-the-middle
attack to capture user names and passwords used to access the JMX
interface. The attacker can then use these credentials to access the
JMX interface and gain complete control over the Tomcat instance.

For Debian 8 "Jessie", this problem has been fixed in version
8.0.14-1+deb8u16.

We recommend that you upgrade your tomcat8 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE7xPqJqaY/zX9fJAuhj1N8u2cKO8FAl56CcAACgkQhj1N8u2c
KO8GDQ//ch0YLa8PrDwcl3o0lumteHPXPVYMmleuZIXbNxZqZirygIL4ipAdKJU9
pGq+sNL5s+VVqzTpzU9b83o2DrnFztDP0b4YjNviWw8ReCHwVZjGf/Qi/SrLiChv
Ob/g/3ANOgEz/fdg0eZGAdZASgqKvZEmozUj6odQ852k+eSZJ23NZ+kEzj26qrpu
GScePSQxdEv2uVJq+O/pIu5cj70ikkLkv+Yy5HhNDVji5Q/as8x5pFG2l4kdsPKg
wsrjdXB/wd7zxS59HXV8nPpCFlvFyTie03M8OtalY7aDj5HEb/H7Hd1jsokDECaN
dXm4dmPsJPPgHj8B0KSq99GitzDgxho/RNZUA3PA7ry+LDJmVuocg97piHz/Y60g
mypapCqTaO7A/LRQeT/Xi+jS9yKevw4KMuzAwsuNsR31173u+7YL1kDj/fiWeM9B
qCpGJ1daRuEuz/1DZG9CH9imX/x/CmyXFoOR1MaatWeuG4UikLtE8heXg8H9LJCz
DvC9/zy0t7vl4/PEptQKogRQShoZMTnP2o9qm+AiFp62IKUI6XxKm4m9r9FS0WWG
StkV5iRACtTcU5g8z5Hl6s4MbkiTbMJ8KTOjeypPUF5B72D22AcMN85dWNsF7QRn
VQM9w4r0izxF2fIjDMqTVEFZmdNEd5bz6lnYlDu5wcyfFQKXIB0=
=MMQd
-----END PGP SIGNATURE-----


Reply to: