Last updated: 27/Feb/2020
Summary
Apache Software Foundation has announced the following multiple critical vulnerabilities for Apache Tomcat:
-
CVE-2019-12418
Insufficiently protected credentials may cause information leakage. -
CVE-2019-17563
There was a narrow window where an attacker could perform a session fixation attack.
These vulnerabilities exist in the following versions of Apache Tomcat:
- CVE-2019-12418
Apache Tomcat 9.0.0.M1 to 9.0.28
Apache Tomcat 8.5.0 to 8.5.47
Apache Tomcat 7.0.0 to 7.0.97 - CVE-2019-17563
Apache Tomcat 9.0.0.M1 to 9.0.29
Apache Tomcat 8.5.0 to 8.5.49
Apache Tomcat 7.0.0 to 7.0.98
For more detail, contact Apache Software Foundation.
Impact on the WingArc1st Products
CVE-2019-17563 can affect following products:
| Product | Version |
| SVF Web Designer | 9.2 to 10.0 |
| SVF Java Products | 9.0 to 10.0 |
| Report Director Enterprise | 9.0 to 10.0 |
| Universal Connect/X | 9.0 to 10.0 |
| SPA | 10.x |
CVE-2019-12418 has no effect on our products.
Solution
For SVF and SPA, we will release following service packs to address the issues.
| Product | Version | Planned Release Date |
| SVF Products V9.2 | SP9 | June 2020 |
| SVF Products V10.0 | V10.1 | End of 2020 |
| SPA V9.3 | SP8 | 30/June/2020 |
| SPA V10.0 | V10.4 | TBD |
For Dr. Sum, we confirmed the vulnerability has no effect.
For MotionBoard, we confirmed the vulnerability has no effect.
Comments
0 comments
Please sign in to leave a comment.