When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

The version of Apache Tomcat installed on the remote host is < 9.0.18. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.18_security-9 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 / 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:3929 advisory.

  - openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) (CVE-2018-5407)

  - tomcat: Apache Tomcat HTTP/2 DoS (CVE-2019-0199)

  - tomcat: XSS in SSI printenv (CVE-2019-0221)

  - tomcat: Remote Code Execution on Windows (CVE-2019-0232)

  - openssl: 0-byte record padding oracle (CVE-2019-1559)

  - tomcat: HTTP/2 connection window exhaustion on write, incomplete fix of CVE-2019-0199 (CVE-2019-10072)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

When the default servlet in Apache Tomcat returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. (CVE-2018-11784)

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injec tions-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microso ft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command
-line-arguments-the-wrong-way/). (CVE-2019-0232)

The HTTP/2 implementation in Apache Tomcat accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-0199)

The version of Tomcat installed on the remote Windows host is prior to 8.5.40. It is, therefore, affected by a remote code execution vulnerability due to a bug in the way the JRE passes command line arguments to Windows. An unauthenticated, remote attacker can exploit this to execute arbitrary commands. Additionally, it is affected by a cross-site (XSS) scripting vulnerability as the SSI printenv command echoes user provided data without proper escaping.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote Windows host is version 7.0.x prior to 7.0.94. It is, therefore, affected by a remote code execution vulnerability due to a bug in the way the JRE passes command line arguments to Windows. An unauthenticated, remote attacker can exploit this to execute arbitrary commands. Additionally, it is affected by a cross-site (XSS) scripting vulnerability as the SSI printenv command echoes user provided data without proper escaping.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 or 7.0.0 to 7.0.93. It is, therefore, affected by a remote code execution vulnerability when running on Windows with enableCmdLineArguments enabled due to a bug in the way the JRE passes command line arguments to Windows.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote Windows host is prior to 7.0.94. It is, therefore, affected by a remote code execution vulnerability due to a bug in the way the JRE passes command line arguments to Windows. An unauthenticated, remote attacker can exploit this to execute arbitrary commands. Additionally, it is affected by a cross-site (XSS) scripting vulnerability as the SSI printenv command echoes user provided data without proper escaping.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote Windows host is prior to 9.0.19. It is, therefore, affected by a remote code execution vulnerability due to a bug in the way the JRE passes command line arguments to Windows. An unauthenticated, remote attacker can exploit this to execute arbitrary commands. Additionally, it is affected by a cross-site (XSS) scripting vulnerability as the SSI printenv command echoes user provided data without proper escaping.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
701436	Apache Tomcat < 9.0.18 Vulnerability	Nessus Network Monitor	Web Servers	critical
131214	RHEL 6 / 7 / 8 : Red Hat JBoss Web Server 5.2 security (Important) (RHSA-2019:3929)	Nessus	Red Hat Local Security Checks	high
125294	Amazon Linux AMI : tomcat8 (ALAS-2019-1208)	Nessus	Amazon Linux Local Security Checks	high
700698	Apache Tomcat 8.0.x < 8.5.40 Remote Code Execution Vulnerability (Windows)	Nessus Network Monitor	Web Servers	high
700682	Apache Tomcat 7.0.x < 7.0.94 Remote Code Execution Vulnerability (Windows)	Nessus Network Monitor	Web Servers	high
98541	Apache Tomcat 7.0.0 < 7.0.94 Remote Code Execution on Windows	Web App Scanning	Component Vulnerability	high
98540	Apache Tomcat 8.5.0 < 8.5.40 Remote Code Execution on Windows	Web App Scanning	Component Vulnerability	high
98539	Apache Tomcat 9.0.0.M1 < 9.0.19 Remote Code Execution on Windows	Web App Scanning	Component Vulnerability	high
124064	Apache Tomcat 7.0.0 < 7.0.94 Remote Code Execution Vulnerability (Windows)	Nessus	Web Servers	high
124063	Apache Tomcat 8.5.0 < 8.5.40 Remote Code Execution Vulnerability (Windows)	Nessus	Web Servers	high
124058	Apache Tomcat 9.0.0.M1 < 9.0.19 Remote Code Execution Vulnerability (Windows)	Nessus	Web Servers	high

Detections

Analytics

CVE-2019-0232

high

Tenable Plugins

critical

high

high

high

high

high

high

high

high

high

high