New vulnerability found in Apache Tomcat

Vulnerability testing specialists have revealed the discovery of a new vulnerability in Apache Tomcat. When using Authentication with Apache Tomcat, between versions 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98, a narrow window is presented where a threat actor could deploy a session fix attack.

At first the researchers considered this window too narrow to function as an exploit in practice, however, it was decided to report this scenario as a security flaw, tracked as CVE-2019-17563.

In the vulnerability testing expert report, the conjunction of various circumstances allows a race condition to be presented in Tomcat, allowing for session fixing and potentially allowing hackers to perform a local attack to access a user’s session with administrator privileges.

For more details, security firm support five experts have prepared a chart where administrators can see if their products or versions have already been evaluated for this flaw. To determine whether your version is vulnerable, in addition to whether components are affected by the vulnerability, and to learn about the versions, point versions, or patches that address the vulnerability, see the following table:

In the event that you run an affected version, vulnerability testing specialists at the International Institute of Cyber Security (IICS) recommend correcting the failure by upgrading to one of the versions that have the solutions. If the table shows only a version earlier than the one you are currently running, or a vulnerable version is not mentioned, there is no update at this time.  

For more information about recently found security flaws, exploits, cyberattacks and malware analysis, you can visit the official website of the International Institute of Cyber Security (IICS), besides the official communication platforms of tech companies currently dealing with information security incidents.