CVE-2019-17563: High severity IBM Data Risk Manager vulnerability

Published Dec 18, 2019
·
Updated

Apache Tomcat could allow a local attacker to hijack a user's session. By using the FORM authentication function, an attacker could exploit this vulnerability to gain access to another user's session.

Other sources

It was found that tomcat's FORM authentication allowed a very small period in which an attacker could possibly force a victim to use a valid user session, or Session Fixation. While practical exploit of this issue is deemed highly improbable, an abundance of caution merits it be considered a flaw. The highest threat from this vulnerability is to system availability, but also threatens data confidentiality and integrity.

When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Reference: https://tomcat.apache.org/security-7.html https://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-9.html

Upstream commits: https://github.com/apache/tomcat/commit/ab72a10 https://github.com/apache/tomcat/commit/e19a202 https://github.com/apache/tomcat/commit/1ecba14

Red Hat

When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Affected Software

36 affected componentsFixes available
redhat/tomcat<0:7.0.76-15.el7
0:7.0.76-15.el7
redhat/tomcat<0:7.0.76-11.el7_6
0:7.0.76-11.el7_6
redhat/tomcat<0:7.0.76-12.el7_7
0:7.0.76-12.el7_7
redhat/tomcat7<0:7.0.70-38.ep7.el6
0:7.0.70-38.ep7.el6
redhat/tomcat8<0:8.0.36-42.ep7.el6
0:8.0.36-42.ep7.el6
redhat/tomcat-native<0:1.2.23-21.redhat_21.ep7.el6
0:1.2.23-21.redhat_21.ep7.el6
redhat/tomcat7<0:7.0.70-38.ep7.el7
0:7.0.70-38.ep7.el7
redhat/tomcat8<0:8.0.36-42.ep7.el7
0:8.0.36-42.ep7.el7
redhat/tomcat-native<0:1.2.23-21.redhat_21.ep7.el7
0:1.2.23-21.redhat_21.ep7.el7
redhat/jws5-tomcat<0:9.0.30-3.redhat_4.1.el6
0:9.0.30-3.redhat_4.1.el6
redhat/jws5-tomcat-native<0:1.2.23-4.redhat_4.el6
0:1.2.23-4.redhat_4.el6
redhat/jws5-tomcat<0:9.0.30-3.redhat_4.1.el7
0:9.0.30-3.redhat_4.1.el7
redhat/jws5-tomcat-native<0:1.2.23-4.redhat_4.el7
0:1.2.23-4.redhat_4.el7
redhat/jws5-tomcat<0:9.0.30-3.redhat_4.1.el8
0:9.0.30-3.redhat_4.1.el8
redhat/jws5-tomcat-native<0:1.2.23-4.redhat_4.el8
0:1.2.23-4.redhat_4.el8
redhat/tomcat<7.0.99
7.0.99
redhat/tomcat<8.5.50
8.5.50
redhat/tomcat<9.0.30
9.0.30
IBM Data Risk Manager<=2.0.6
Apache Tomcat>=7.0.0<=7.0.98
Apache Tomcat>=8.5.0<=8.5.49
Apache Tomcat>=9.0.0<=9.0.29
Debian Debian Linux=8.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
openSUSE Leap=15.1
Canonical Ubuntu Linux=16.04
Oracle Agile Engineering Data Management=6.2.1.0
Oracle Hyperion Infrastructure Technology=11.1.2.4
Oracle Instantis Enterprisetrack>=17.1<=17.3
Oracle Micros Relate Crm Software=11.4
Oracle MySQL Enterprise Monitor<=4.0.11.5331
Oracle MySQL Enterprise Monitor>=8.0.0<=8.0.18.1217
Oracle Retail Order Broker=15.0
Oracle Transportation Management=6.3.7
debian/tomcat9
9.0.43-2~deb11u109.0.107-0+deb11u29.0.70-29.0.95-19.0.115-1

Remediation

Patch Available

https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E

Patch Available

https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e@%3Cissues.cxf.apache.org%3E

Patch Available

https://www.oracle.com/security-alerts/cpuapr2020.html

Patch Available

https://www.oracle.com/security-alerts/cpujan2021.html

Patch Available

https://www.oracle.com/security-alerts/cpujul2020.html

Patch Available

https://github.com/apache/tomcat/commit/ab72a106fe5d992abddda954e30849d7cf8cc583

Patch Available

https://github.com/apache/tomcat/commit/e19a202ee43b6e2a538be5515ae0ab32d8ef112c

Patch Available

https://github.com/apache/tomcat/commit/1ecba14e690cf5f3f143eef6ae7037a6d3c16652

Event History

Dec 18, 2019
CVE Published
12:00 AM
Dec 20, 2019
Data Sourced
via Red Hat·06:30 PM
DescriptionSeverityAffected Software
Dec 23, 2019
CVE Published
via MITRE·04:39 PM
Data Sourced
via MITRE·04:39 PM
DescriptionWeakness
Data Sourced
via NVD·05:15 PM
RemedyDescriptionSeverityWeaknessAffected Software
Feb 20, 2026
Data Sourced
via Ubuntu·10:40 PM
RemedyDescriptionSeverityAffected Software
Data Sourced
via Launchpad·10:41 PM
Description
Data Sourced
via Debian·10:41 PM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2019-17563?

CVE-2019-17563 is a vulnerability in Apache Tomcat that allows an attacker to potentially force a victim to use a valid user session, leading to session fixation.

2

What is the severity of CVE-2019-17563?

CVE-2019-17563 has a severity rating of high.

3

Which versions of Apache Tomcat are affected by CVE-2019-17563?

Apache Tomcat versions 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49, and 7.0.0 to 7.0.99 are affected by CVE-2019-17563.

4

How can I fix CVE-2019-17563?

To fix CVE-2019-17563, it is recommended to upgrade to Apache Tomcat version 9.0.30 or later, 8.5.50 or later, or 7.0.100 or later.

5

Where can I find more information about CVE-2019-17563?

You can find more information about CVE-2019-17563 on the CVE website (https://www.cve.org/CVERecord?id=CVE-2019-17563), NIST NVD (https://nvd.nist.gov/vuln/detail/CVE-2019-17563), Apache Tomcat security advisories, and Red Hat errata (https://access.redhat.com/errata/RHSA-2020:4004).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203