ID

VAR-201904-1069


CVE

CVE-2019-0199


TITLE

Apache Tomcat Vulnerable to resource exhaustion

Trust: 0.8

sources: JVNDB: JVNDB-2019-003375

DESCRIPTION

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. Apache Tomcat Contains a resource exhaustion vulnerability.Service operation interruption (DoS) There is a possibility of being put into a state. Apache Tomcat is a lightweight web application server from the Apache Software Foundation. This program implements support for Servlet and JavaServerPage (JSP). There is a security vulnerability in Apache Tomcat. An attacker could exploit the vulnerability to cause a denial of service. Attackers may leverage this issue to cause denial-of-service conditions. A vulnerability in Apache Tomcat could allow an unauthenticated, remote malicious user to cause a denial of service (DoS) condition on a targeted system. The vulnerability is due to a resource exhaustion condition in the HTTP/2 implementation of the affected software. A successful exploit could result in a DoS condition on the targeted system. Apache has confirmed the vulnerability and released software updates. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4596-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 27, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tomcat8 CVE ID : CVE-2018-8014 CVE-2018-11784 CVE-2019-0199 CVE-2019-0221 CVE-2019-12418 CVE-2019-17563 Several issues were discovered in the Tomcat servlet and JSP engine, which could result in session fixation attacks, information disclosure, cross- site scripting, denial of service via resource exhaustion and insecure redirects. For the oldstable distribution (stretch), these problems have been fixed in version 8.5.50-0+deb9u1. This update also requires an updated version of tomcat-native which has been updated to 1.2.21-1~deb9u1. We recommend that you upgrade your tomcat8 packages. For the detailed security status of tomcat8 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tomcat8 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl4GgDcACgkQEMKTtsN8 TjaVxA//dmUGPdFZSI6VW/avTJ8YKIgVaKTLJz47hl9GKWJoGI4lG5TE4INs193y xKf2gtuPb/YCdqZj2VphPTiPiIbycXrRXTq9uGnioteeAZfgKnqSokcQ+EvUItsp Q7nBeuFNdSHaK1TAQ74Ty4qcwM/WXQ5c0UfZvAbMzYp3PRrkHkMXhUHMj7MJNz7W 6I/ehY+h+VkvTj7P6U3icEoLsTqOwKiHFiAVKD9DiUZqRI62nmbMW2il1zgF3pOZ QNrDGhNsaVfhJbIES3/vuF/qSQIm6GryQ1dwxbFBszemdHTGEQmANsxLLXWnPDH1 2KigZh5bkSlQZvJRHgbJp+LdM+DSY7VI1KtwTIkpwFZ2/kbz+kMGGT+TQplSORyL IY9SK1aQduWBx2yi3X7/wPXVdV7KA1cMCPhSt8fVieYxZWtONALBuCdnSSEweIEq myd2GD75QIHjZy7JZoVc421kCjH4IrXxuwEQDkHjKTladjdklOREEocAc8R+NjSS kUKdS2cOel6M2yjH/ieOv3DVaUPplgl+0KJGXqAhdkCQUwTMsw1tmR/ObWkCHQov k79Isubwc5kuQD/iBCuIQM8TgfNcyWXNAyHbpKR7kGkrn/ihN7dsCdvRjrMPrvRJ x/PLd3rjlgS5D1cEf7PTZZjym4mwDPrKgamSt9V3f3RwFwV75vY= =je4v -----END PGP SIGNATURE----- . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ===================================================================== Red Hat Security Advisory Synopsis: Important: Red Hat support for Spring Boot 2.1.12 security and bug fix update Advisory ID: RHSA-2020:2366-01 Product: Red Hat OpenShift Application Runtimes Advisory URL: https://access.redhat.com/errata/RHSA-2020:2366 Issue date: 2020-06-04 CVE Names: CVE-2019-0199 CVE-2019-3868 CVE-2019-3875 CVE-2019-10199 CVE-2019-10201 CVE-2019-14832 ===================================================================== 1. Summary: An update is now available for Red Hat OpenShift Application Runtimes. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. [NOTE: This security advisory was unintentionally omitted at the time of the initial software release on 2020-02-18. The advisory is informational only; no files in the release have changed.] 2. Description: Red Hat support for Spring Boot provides an application platform that reduces the complexity of developing and operating applications (monoliths and microservices) for OpenShift as a containerized platform. This release of Red Hat support for Spring Boot 2.1.12 serves as a replacement for Red Hat support for Spring Boot 2.1.6, and includes security and bug fixes and enhancements. For further information, refer to the release notes linked to in the References section. Security Fix(es): * tomcat: Apache Tomcat HTTP/2 DoS (CVE-2019-0199) * keycloak: SAML broker does not check existence of signature on document allowing any user impersonation (CVE-2019-10201) * keycloak: session hijack using the user access token (CVE-2019-3868) * keycloak: missing signatures validation on CRL used to verify client certificates (CVE-2019-3875) * keycloak: CSRF check missing in My Resources functionality in the Account Console (CVE-2019-10199) * keycloak: cross-realm user access auth bypass (CVE-2019-14832) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. The References section of this erratum contains a download link (you must log in to download the update). 4. Bugs fixed (https://bugzilla.redhat.com/): 1679144 - CVE-2019-3868 keycloak: session hijack using the user access token 1690628 - CVE-2019-3875 keycloak: missing signatures validation on CRL used to verify client certificates 1693325 - CVE-2019-0199 tomcat: Apache Tomcat HTTP/2 DoS 1728609 - CVE-2019-10201 keycloak: SAML broker does not check existence of signature on document allowing any user impersonation 1729261 - CVE-2019-10199 keycloak: CSRF check missing in My Resources functionality in the Account Console 1749487 - CVE-2019-14832 keycloak: cross-realm user access auth bypass 5. References: https://access.redhat.com/security/cve/CVE-2019-0199 https://access.redhat.com/security/cve/CVE-2019-3868 https://access.redhat.com/security/cve/CVE-2019-3875 https://access.redhat.com/security/cve/CVE-2019-10199 https://access.redhat.com/security/cve/CVE-2019-10201 https://access.redhat.com/security/cve/CVE-2019-14832 https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=catRhoar.spring.boot&downloadType=distributions&version=2.1.12 https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.1/html-single/release_notes_for_spring_boot_2.1/ 6. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXtjx9tzjgjWX9erEAQhFOA//Tkk46vAF4/aJiKVApEHvF5R96081W2Hq G96k3lUPuatTrcD/2yek9whs1Bf9MQgWcaFWCgx63nsNs6Mm81frsR/dt4YV8mWc 97y4u6kz6nvQQ6Wz6Xuic9km17/yXuNl5JqgmcLtltgNhtWgZhpQUKfbP3ot0T2X FStJvnZlPrgDnpnVZ8y6x++otaDfbXGiy2FyGepXei8WWxXtQ/XYPoQC/mYbuXgM eUNsFLEyY9hWLCE4vfavLCM4fHs+djrL2E6N431JhpLyCrbTx0nYkaMkoOoJlLe2 agJjBzd5iYnBbD6p9K5okIWR1U2gNsdV6Q7UROTLiEFoxBOr1hO1mzqYkJ80t1Pm d48N7OuQ4MhYgiKftVDmsVgXuQzySUrjZWnZZnDbVZo02gwD8T1NXgq9zCX64/sl ucKvbDnnmLDYQYsKRCjf1aH1ZDrrPOPIOkTbMlb4+Wqc/O8jrRfzvya0ym9wnN8v CG3VmxPBPeNgp6/pmTBrJU9c+dER9qmavAB77Vl09dH88V9Ne4GLiVfqSVOEhY1w vwZo31fNXNYFYT/NV2v9CiZwrRcsqn60VH0E4Qc+zTOb5esR7bIidcBMGtPm+BI0 80uR7D6DwjVmZsfzwakCIiGMaChysonql+P72iOd2Xerj7osdvMSEQHSVSjuILh7 wiv1ksQVw/s= =pUHq -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 2.7

sources: NVD: CVE-2019-0199 // JVNDB: JVNDB-2019-003375 // CNVD: CNVD-2019-15086 // BID: 107674 // VULMON: CVE-2019-0199 // PACKETSTORM: 155792 // PACKETSTORM: 157964

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2019-15086

AFFECTED PRODUCTS

vendor:apachemodel:tomcatscope:eqversion:9.0.0

Trust: 1.1

vendor:apachemodel:tomcatscope:lteversion:9.0.14

Trust: 1.0

vendor:apachemodel:tomcatscope:gteversion:8.5.0

Trust: 1.0

vendor:apachemodel:tomcatscope:lteversion:8.5.37

Trust: 1.0

vendor:apachemodel:tomcatscope:gteversion:9.0.1

Trust: 1.0

vendor:apachemodel:tomcatscope:eqversion:8.5.0 to 8.5.37

Trust: 0.8

vendor:apachemodel:tomcatscope:eqversion:9.0.0.m1 to 9.0.14

Trust: 0.8

vendor:apachemodel:tomcatscope: - version: -

Trust: 0.6

vendor:apachemodel:tomcatscope:eqversion:8.5.0

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.1

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.2

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.3

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.4

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.5

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.6

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.7

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.8

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.9

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.11

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.12

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.13

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.14

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.15

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.16

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.23

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.24

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.27

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.28

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.30

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.31

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.32

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.34

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:8.5.37

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:9.0.1

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:9.0.4

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:9.0.5

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:9.0.7

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:9.0.8

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:9.0.9

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:9.0.10

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:9.0.12

Trust: 0.4

vendor:apachemodel:tomcatscope:eqversion:9.0.14

Trust: 0.4

vendor:oraclemodel:instantis enterprisetrackscope:eqversion:17.3

Trust: 0.3

vendor:oraclemodel:instantis enterprisetrackscope:eqversion:17.2

Trust: 0.3

vendor:oraclemodel:instantis enterprisetrackscope:eqversion:17.1

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0m8scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0m6scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0.m9scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0.m7scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0.m5scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0.m4scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0.m3scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0.m22scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0.m21scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0.m20scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0.m2scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0.m19scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0.m18scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0.m17scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0.m15scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0.m13scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0.m12scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0.m11scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0.m10scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcat 9.0.0.m1scope: - version: -

Trust: 0.3

vendor:apachemodel:tomcatscope:neversion:9.0.16

Trust: 0.3

vendor:apachemodel:tomcatscope:neversion:8.5.38

Trust: 0.3

vendor:apachemodel:tomcatscope:eqversion:8.5.10

Trust: 0.1

vendor:apachemodel:tomcatscope:eqversion:8.5.17

Trust: 0.1

vendor:apachemodel:tomcatscope:eqversion:8.5.18

Trust: 0.1

vendor:apachemodel:tomcatscope:eqversion:8.5.19

Trust: 0.1

vendor:apachemodel:tomcatscope:eqversion:8.5.20

Trust: 0.1

vendor:apachemodel:tomcatscope:eqversion:8.5.21

Trust: 0.1

vendor:apachemodel:tomcatscope:eqversion:8.5.22

Trust: 0.1

vendor:apachemodel:tomcatscope:eqversion:8.5.25

Trust: 0.1

vendor:apachemodel:tomcatscope:eqversion:8.5.26

Trust: 0.1

vendor:apachemodel:tomcatscope:eqversion:8.5.29

Trust: 0.1

vendor:apachemodel:tomcatscope:eqversion:8.5.33

Trust: 0.1

vendor:apachemodel:tomcatscope:eqversion:8.5.35

Trust: 0.1

vendor:apachemodel:tomcatscope:eqversion:8.5.36

Trust: 0.1

vendor:apachemodel:tomcatscope:eqversion:9.0.2

Trust: 0.1

vendor:apachemodel:tomcatscope:eqversion:9.0.3

Trust: 0.1

vendor:apachemodel:tomcatscope:eqversion:9.0.6

Trust: 0.1

vendor:apachemodel:tomcatscope:eqversion:9.0.11

Trust: 0.1

vendor:apachemodel:tomcatscope:eqversion:9.0.13

Trust: 0.1

sources: CNVD: CNVD-2019-15086 // VULMON: CVE-2019-0199 // BID: 107674 // JVNDB: JVNDB-2019-003375 // NVD: CVE-2019-0199

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-0199
value: HIGH

Trust: 1.0

NVD: CVE-2019-0199
value: HIGH

Trust: 0.8

CNVD: CNVD-2019-15086
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201903-919
value: HIGH

Trust: 0.6

VULMON: CVE-2019-0199
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2019-0199
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

CNVD: CNVD-2019-15086
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-0199
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2019-15086 // VULMON: CVE-2019-0199 // JVNDB: JVNDB-2019-003375 // CNNVD: CNNVD-201903-919 // NVD: CVE-2019-0199

PROBLEMTYPE DATA

problemtype:CWE-400

Trust: 1.8

sources: JVNDB: JVNDB-2019-003375 // NVD: CVE-2019-0199

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201903-919

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-201903-919

CONFIGURATIONS

sources: JVNDB: JVNDB-2019-003375

PATCH

title:svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/url:https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E

Trust: 0.8

title:svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/url:https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E

Trust: 0.8

title:svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/url:https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E

Trust: 0.8

title:[SECURITY] CVE-2019-0199 Apache Tomcat HTTP/2 DoSurl:https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995@%3Cannounce.tomcat.apache.org%3E

Trust: 0.8

title:svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/url:https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E

Trust: 0.8

title:Patch for ApacheTomcat Resource Management Error Vulnerability (CNVD-2019-15086)url:https://www.cnvd.org.cn/patchInfo/show/161993

Trust: 0.6

title:Apache Tomcat Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=90371

Trust: 0.6

title:Debian CVElist Bug Report Logs: tomcat9: CVE-2019-10072url:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=7966741ad75ea9ed4ce251ef47c32196

Trust: 0.1

title:Ubuntu Security Notice: tomcat9 vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-4128-2

Trust: 0.1

title:Ubuntu Security Notice: tomcat8 vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-4128-1

Trust: 0.1

title:Red Hat: Moderate: Red Hat JBoss Web Server 5.2 security releaseurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20193929 - Security Advisory

Trust: 0.1

title:Amazon Linux AMI: ALAS-2019-1234url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2019-1234

Trust: 0.1

title:IBM: Security Bulletin: CVE-2019-10072url:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=4cfa73e64dc3855ace71ce18bac6fba2

Trust: 0.1

title:IBM: IBM Security Bulletin: Apache Tomcat as used in IBM QRadar SIEM is vulnerable to denial of service (CVE-2019-0199)url:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=2579e74a8148d49567b550a034c8f808

Trust: 0.1

title:Amazon Linux AMI: ALAS-2019-1208url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2019-1208

Trust: 0.1

title:IBM: IBM Security Bulletin: IBM WebSphere Cast Iron Solution & App Connect Professional is affected by Apache Tomcat vulnerabilities.url:https://vulmon.com/vendoradvisory?qidtp=ibm_psirt_blog&qid=6a3950e54c50353235e3e8004916f871

Trust: 0.1

title:Red Hat: Moderate: Red Hat JBoss Web Server 5.2 security releaseurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20193931 - Security Advisory

Trust: 0.1

title:Debian Security Advisories: DSA-4596-1 tomcat8 -- security updateurl:https://vulmon.com/vendoradvisory?qidtp=debian_security_advisories&qid=4cb7c55b01cbf593c9c3969d59695c8a

Trust: 0.1

title:toolurl:https://github.com/Mal-lol-git/tool

Trust: 0.1

title:AwareIM-resourcesurl:https://github.com/RennurApps/AwareIM-resources

Trust: 0.1

title:cybsecurl:https://github.com/ilmari666/cybsec

Trust: 0.1

title:cybersecuritybase-projecturl:https://github.com/mikademo/cybersecuritybase-project

Trust: 0.1

sources: CNVD: CNVD-2019-15086 // VULMON: CVE-2019-0199 // JVNDB: JVNDB-2019-003375 // CNNVD: CNNVD-201903-919

EXTERNAL IDS

db:NVDid:CVE-2019-0199

Trust: 3.6

db:BIDid:107674

Trust: 1.9

db:JVNDBid:JVNDB-2019-003375

Trust: 0.8

db:PACKETSTORMid:155792

Trust: 0.7

db:PACKETSTORMid:157964

Trust: 0.7

db:CNVDid:CNVD-2019-15086

Trust: 0.6

db:AUSCERTid:ESB-2019.2230

Trust: 0.6

db:AUSCERTid:ESB-2019.1958

Trust: 0.6

db:AUSCERTid:ESB-2019.0980

Trust: 0.6

db:AUSCERTid:ESB-2019.4405

Trust: 0.6

db:AUSCERTid:ESB-2020.0014

Trust: 0.6

db:AUSCERTid:ESB-2019.2295

Trust: 0.6

db:AUSCERTid:ESB-2019.1966

Trust: 0.6

db:AUSCERTid:ESB-2020.1983

Trust: 0.6

db:CNNVDid:CNNVD-201903-919

Trust: 0.6

db:VULMONid:CVE-2019-0199

Trust: 0.1

sources: CNVD: CNVD-2019-15086 // VULMON: CVE-2019-0199 // BID: 107674 // JVNDB: JVNDB-2019-003375 // PACKETSTORM: 155792 // PACKETSTORM: 157964 // CNNVD: CNNVD-201903-919 // NVD: CVE-2019-0199

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2019-0199

Trust: 2.2

url:https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Trust: 1.9

url:https://security.netapp.com/advisory/ntap-20190419-0001/

Trust: 1.7

url:https://access.redhat.com/errata/rhsa-2019:3931

Trust: 1.6

url:https://access.redhat.com/errata/rhsa-2019:3929

Trust: 1.6

url:https://www.debian.org/security/2019/dsa-4596

Trust: 1.6

url:http://www.securityfocus.com/bid/107674

Trust: 1.6

url:http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html

Trust: 1.0

url:http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00013.html

Trust: 1.0

url:http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html

Trust: 1.0

url:https://lists.apache.org/thread.html/158ab719cf60448ddbb074798f09152fdb572fc8f781e70a56118d1a%40%3cdev.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3cdev.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/4c438fa4c78cb1ce8979077f668ab7145baf83e7c59f2faf7eccf094%40%3cdev.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3cdev.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/7bb193bc68b28d21ff1c726fd38bea164deb6333b59eec2eb3661da6%40%3cusers.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3cdev.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/9fe25f98bac6d66f8a663a15c37a98bc2d8f8bbed1d408791a3e4067%40%3cusers.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/a7a201bd23e67fd3326c9b22b814dd0537d3270b3b54a768e2e7ef50%40%3cdev.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/ac0185ce240a711b542a55bccf9349ab0c2f343d70cf7835e08fabc9%40%3cannounce.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/cf4eb2bd2083cebb3602a293c653f9a7faa96c86f672c876f25b37ef%40%3cannounce.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/dddb3590bac28fbe89f69f5ccbe26283d014ddc691abdd042de14600%40%3cannounce.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3cannounce.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995%40%3cannounce.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/e56886e1bac9319ecce81b3612dd7a1a43174a3a741a1c805e16880e%40%3ccommits.tomee.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3cdev.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/e87733036e8c84ea648cdcdca3098f3c8a897e2652c33062b2b1535c%40%3cusers.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3cdev.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3cdev.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3cdev.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3cdev.tomcat.apache.org%3e

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/nphqel5aq6lzszd2y6tyz4rc3wi7nxj3/

Trust: 1.0

url:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/zqtz5bj5f4kv6n53sgnksw3uy5dbiq46/

Trust: 1.0

url:https://seclists.org/bugtraq/2019/dec/43

Trust: 1.0

url:https://support.f5.com/csp/article/k17321505

Trust: 1.0

url:https://www.oracle.com/security-alerts/cpuapr2020.html

Trust: 1.0

url:https://www.oracle.com/security-alerts/cpujan2020.html

Trust: 1.0

url:http://tomcat.apache.org/security-8.html

Trust: 0.9

url:http://tomcat.apache.org/security-9.html

Trust: 0.9

url:http://tomcat.apache.org/

Trust: 0.9

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-0199

Trust: 0.8

url:https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3cdev.tomcat.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3cdev.tomcat.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3cdev.tomcat.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995@%3cannounce.tomcat.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/e56886e1bac9319ecce81b3612dd7a1a43174a3a741a1c805e16880e@%3ccommits.tomee.apache.org%3e

Trust: 0.7

url:https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3cdev.tomcat.apache.org%3e

Trust: 0.7

url:https://www.mail-archive.com/dev

Trust: 0.6

url:http://www.ibm.com/support/docview.wss?uid=ibm10886317

Trust: 0.6

url:https://www.mail-archive.com/users@tomcat.apache.org/msg132248.html

Trust: 0.6

url:http://www.ibm.com/support/docview.wss?uid=ibm10885114

Trust: 0.6

url:https://www.suse.com/support/update/announcement/2019/suse-su-20191693-1.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.4405/

Trust: 0.6

url:https://packetstormsecurity.com/files/155792/debian-security-advisory-4596-1.html

Trust: 0.6

url:https://www-01.ibm.com/support/docview.wss?uid=ibm10886317

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.2230/

Trust: 0.6

url:https://vigilance.fr/vulnerability/apache-tomcat-denial-of-service-via-http-2-frames-28842

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0014/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.2295/

Trust: 0.6

url:https://packetstormsecurity.com/files/157964/red-hat-security-advisory-2020-2366-01.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.1958/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/77766

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2019.1966/

Trust: 0.6

url:http-2-implementation-in-embded-apache-tomcat-denial-of-service-vulnerability/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-cve-2019-0199-the-

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.1983/

Trust: 0.6

url:https://cwe.mitre.org/data/definitions/400.html

Trust: 0.1

url:https://www.rapid7.com/db/vulnerabilities/apache-tomcat-cve-2019-0199

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://usn.ubuntu.com/4128-2/

Trust: 0.1

url:https://tools.cisco.com/security/center/viewalert.x?alertid=59989

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-17563

Trust: 0.1

url:https://www.debian.org/security/faq

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-8014

Trust: 0.1

url:https://www.debian.org/security/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-0221

Trust: 0.1

url:https://security-tracker.debian.org/tracker/tomcat8

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-12418

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2018-11784

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-3875

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-14832

Trust: 0.1

url:https://access.redhat.com/security/updates/classification/#important

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-10201

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2020:2366

Trust: 0.1

url:https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=catrhoar.spring.boot&downloadtype=distributions&version=2.1.12

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-3868

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-0199

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-10201

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-3875

Trust: 0.1

url:https://access.redhat.com/security/team/contact/

Trust: 0.1

url:https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.1

url:https://bugzilla.redhat.com/):

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-3868

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-14832

Trust: 0.1

url:https://access.redhat.com/documentation/en-us/red_hat_support_for_spring_boot/2.1/html-single/release_notes_for_spring_boot_2.1/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2019-10199

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2019-10199

Trust: 0.1

sources: CNVD: CNVD-2019-15086 // VULMON: CVE-2019-0199 // BID: 107674 // JVNDB: JVNDB-2019-003375 // PACKETSTORM: 155792 // PACKETSTORM: 157964 // CNNVD: CNNVD-201903-919 // NVD: CVE-2019-0199

CREDITS

Inc,Debian,Michal Karm Babacek from Red Hat

Trust: 0.6

sources: CNNVD: CNNVD-201903-919

SOURCES

db:CNVDid:CNVD-2019-15086
db:VULMONid:CVE-2019-0199
db:BIDid:107674
db:JVNDBid:JVNDB-2019-003375
db:PACKETSTORMid:155792
db:PACKETSTORMid:157964
db:CNNVDid:CNNVD-201903-919
db:NVDid:CVE-2019-0199

LAST UPDATE DATE

2024-08-14T12:09:27.902000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2019-15086date:2019-05-23T00:00:00
db:VULMONid:CVE-2019-0199date:2019-05-28T00:00:00
db:BIDid:107674date:2019-07-17T09:00:00
db:JVNDBid:JVNDB-2019-003375date:2019-05-15T00:00:00
db:CNNVDid:CNNVD-201903-919date:2020-06-09T00:00:00
db:NVDid:CVE-2019-0199date:2023-12-08T16:41:18.860

SOURCES RELEASE DATE

db:CNVDid:CNVD-2019-15086date:2019-05-23T00:00:00
db:VULMONid:CVE-2019-0199date:2019-04-10T00:00:00
db:BIDid:107674date:2019-02-08T00:00:00
db:JVNDBid:JVNDB-2019-003375date:2019-05-15T00:00:00
db:PACKETSTORMid:155792date:2019-12-30T18:38:42
db:PACKETSTORMid:157964date:2020-06-05T18:32:22
db:CNNVDid:CNNVD-201903-919date:2019-03-25T00:00:00
db:NVDid:CVE-2019-0199date:2019-04-10T15:29:00.390