ASA-2019-00210 – Apache Tomcat: Remote Code Execution on Windows

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00210

Identifier(s)

ASA-2019-00210, CVE-2019-0232

Title

Remote Code Execution on Windows

Vendor(s)

Apache Software Foundation

Product(s)

Apache Tomcat

Affected version(s)

Apache Tomcat versions 7.0.0 to 7.0.93
Apache Tomcat versions 8.5.0 to 8.5.39
Apache Tomcat versions 9.0.0.M1 to 9.0.17

Fixed version(s)

Apache Tomcat version 7.0.94
Apache Tomcat version 8.5.40
Apache Tomcat version 9.0.19

Proof of concept

Yes

Description

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disabled by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability).

Technical details

Unknown

Credits

Nightwatch Cybersecurity Research

Reference(s)

Apache Tomcat® – Apache Tomcat 7 vulnerabilities
https://tomcat.apache.org/security-7.html

Apache Tomcat® – Apache Tomcat 8 vulnerabilities
https://tomcat.apache.org/security-8.html

Apache Tomcat® – Apache Tomcat 9 vulnerabilities
https://tomcat.apache.org/security-9.html

Upcoming Advisory for Apache Tomcat Vulnerability – CVE-2019-0232
https://wwws.nightwatchcybersecurity.com/2019/04/15/upcoming-advisory-for-apache-tomcat-vulnerability-cve-2019-0232/

Limit CGI command line arguments
https://github.com/apache/tomcat/commit/7f0221b

Limit CGI command line arguments
https://github.com/apache/tomcat/commit/5bc4e6d

Limit CGI command line arguments
https://github.com/apache/tomcat/commit/4b244d8

Apache Tomcat Remote Code Execution on Windows
https://github.com/pyn3rd/CVE-2019-0232

Uncovering CVE-2019-0232: A Remote Code Execution Vulnerability in Apache Tomcat
https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/

CVE-2019-0232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232

CVE-2019-0232
https://nvd.nist.gov/vuln/detail/CVE-2019-0232

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: October 2, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.