Allele Security Alert
ASA-2019-00210
Identifier(s)
ASA-2019-00210, CVE-2019-0232
Title
Remote Code Execution on Windows
Vendor(s)
Apache Software Foundation
Product(s)
Apache Tomcat
Affected version(s)
Apache Tomcat versions 7.0.0 to 7.0.93
Apache Tomcat versions 8.5.0 to 8.5.39
Apache Tomcat versions 9.0.0.M1 to 9.0.17
Fixed version(s)
Apache Tomcat version 7.0.94
Apache Tomcat version 8.5.40
Apache Tomcat version 9.0.19
Proof of concept
Yes
Description
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disabled by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability).
Technical details
Unknown
Credits
Nightwatch Cybersecurity Research
Reference(s)
Apache Tomcat® – Apache Tomcat 7 vulnerabilities
https://tomcat.apache.org/security-7.html
Apache Tomcat® – Apache Tomcat 8 vulnerabilities
https://tomcat.apache.org/security-8.html
Apache Tomcat® – Apache Tomcat 9 vulnerabilities
https://tomcat.apache.org/security-9.html
Upcoming Advisory for Apache Tomcat Vulnerability – CVE-2019-0232
https://wwws.nightwatchcybersecurity.com/2019/04/15/upcoming-advisory-for-apache-tomcat-vulnerability-cve-2019-0232/
Limit CGI command line arguments
https://github.com/apache/tomcat/commit/7f0221b
Limit CGI command line arguments
https://github.com/apache/tomcat/commit/5bc4e6d
Limit CGI command line arguments
https://github.com/apache/tomcat/commit/4b244d8
Apache Tomcat Remote Code Execution on Windows
https://github.com/pyn3rd/CVE-2019-0232
Uncovering CVE-2019-0232: A Remote Code Execution Vulnerability in Apache Tomcat
https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/
CVE-2019-0232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232
CVE-2019-0232
https://nvd.nist.gov/vuln/detail/CVE-2019-0232
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 2, 2019