CVE-2019-0232

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

References

https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/

https://lists.apache.org/thread.html/[email protected]%3Cannounce.tomcat.apache.org%3E

https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html

https://lists.apache.org/thread.html/[email protected]%3Ccommits.ofbiz.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.ofbiz.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Ccommits.ofbiz.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.ofbiz.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cnotifications.ofbiz.apache.org%3E

http://www.securityfocus.com/bid/107906

https://security.netapp.com/advisory/ntap-20190419-0001/

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-784

http://seclists.org/fulldisclosure/2019/May/4

https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/

https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/

https://www.synology.com/security/advisory/Synology_SA_19_17

http://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html

https://access.redhat.com/errata/RHSA-2019:1712

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

https://www.oracle.com/security-alerts/cpujan2020.html

https://lists.apache.org/thread.html/[email protected]%3Cannounce.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://www.oracle.com/security-alerts/cpuapr2020.html

https://www.oracle.com/security-alerts/cpuApr2021.html

Details

Source: MITRE

Published: 2019-04-15

Updated: 2021-06-14

Type: CWE-78

Risk Information

CVSS v2

Base Score: 9.3

Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 8.6

Severity: HIGH

CVSS v3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 2.2

Severity: HIGH

Tenable Plugins

View all (11 total)

IDNameProductFamilySeverity
131214RHEL 6 / 7 / 8 : JBoss Web Server (RHSA-2019:3929)NessusRed Hat Local Security Checks
high
125294Amazon Linux AMI : tomcat8 (ALAS-2019-1208)NessusAmazon Linux Local Security Checks
high
700711Apache Tomcat 9.0.x < 9.0.19 Remote Code Execution Vulnerability (Windows)Nessus Network MonitorWeb Servers
high
700698Apache Tomcat 8.0.x < 8.5.40 Remote Code Execution Vulnerability (Windows)Nessus Network MonitorWeb Servers
high
700682Apache Tomcat 7.0.x < 7.0.94 Remote Code Execution Vulnerability (Windows)Nessus Network MonitorWeb Servers
high
98541Apache Tomcat 7.0.0 < 7.0.94 Remote Code Execution on WindowsWeb Application ScanningComponent Vulnerability
high
98540Apache Tomcat 8.5.0 < 8.5.40 Remote Code Execution on WindowsWeb Application ScanningComponent Vulnerability
high
98539Apache Tomcat 9.0.0.M1 < 9.0.19 Remote Code Execution on WindowsWeb Application ScanningComponent Vulnerability
high
124064Apache Tomcat 7.0.0 < 7.0.94 Remote Code Execution Vulnerability (Windows)NessusWeb Servers
high
124063Apache Tomcat 8.5.0 < 8.5.40 Remote Code Execution Vulnerability (Windows)NessusWeb Servers
high
124058Apache Tomcat 9.0.0.M1 < 9.0.19 Remote Code Execution Vulnerability (Windows)NessusWeb Servers
high