CVE-2019-12418

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 9.0.0.M1 through 9.0.28 Apache Tomcat versions 8.5.0 through 8.5.47 Apache Tomcat version 7.0.0 Apache Tomcat version 7.0.97

Description The issue is related to the JMX Remote Lifecycle Listener in Apache Tomcat, which can be exploited by a local attacker to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. This can lead to unauthorized access to the JMX interface and complete control over the Tomcat instance. The vulnerability is due to a lack of protection for registration data.

Recommendations For Apache Tomcat versions 9.0.0.M1 through 9.0.28, consider disabling the JMX Remote Lifecycle Listener until a patch is available. For Apache Tomcat versions 8.5.0 through 8.5.47, consider disabling the JMX Remote Lifecycle Listener until a patch is available. For Apache Tomcat version 7.0.0, consider disabling the JMX Remote Lifecycle Listener until a patch is available. For Apache Tomcat version 7.0.97, consider disabling the JMX Remote Lifecycle Listener until a patch is available. As a temporary workaround, restrict access to the JMX interface to minimize the risk of exploitation.