CVE-2019-0232: OS Command Injection
First published: Wed Apr 10 2019(Updated: )
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=9.0.0.M1<9.0.17 | 9.0.17 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=7.0.0<7.0.94 | 7.0.94 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=8.0.0<8.5.40 | 8.5.40 |
| IBM GDE | <=3.0.0.2 | |
| All of | ||
| Any of | ||
| Apache Tomcat | >=7.0.0<=7.0.93 | |
| Apache Tomcat | >=8.5.0<=8.5.39 | |
| Apache Tomcat | >=9.0.1<=9.0.17 | |
| Apache Tomcat | =9.0.0-milestone1 | |
| Apache Tomcat | =9.0.0-milestone10 | |
| Apache Tomcat | =9.0.0-milestone11 | |
| Apache Tomcat | =9.0.0-milestone12 | |
| Apache Tomcat | =9.0.0-milestone13 | |
| Apache Tomcat | =9.0.0-milestone14 | |
| Apache Tomcat | =9.0.0-milestone15 | |
| Apache Tomcat | =9.0.0-milestone16 | |
| Apache Tomcat | =9.0.0-milestone17 | |
| Apache Tomcat | =9.0.0-milestone18 | |
| Apache Tomcat | =9.0.0-milestone19 | |
| Apache Tomcat | =9.0.0-milestone2 | |
| Apache Tomcat | =9.0.0-milestone20 | |
| Apache Tomcat | =9.0.0-milestone21 | |
| Apache Tomcat | =9.0.0-milestone22 | |
| Apache Tomcat | =9.0.0-milestone23 | |
| Apache Tomcat | =9.0.0-milestone24 | |
| Apache Tomcat | =9.0.0-milestone25 | |
| Apache Tomcat | =9.0.0-milestone26 | |
| Apache Tomcat | =9.0.0-milestone3 | |
| Apache Tomcat | =9.0.0-milestone4 | |
| Apache Tomcat | =9.0.0-milestone5 | |
| Apache Tomcat | =9.0.0-milestone6 | |
| Apache Tomcat | =9.0.0-milestone7 | |
| Apache Tomcat | =9.0.0-milestone8 | |
| Apache Tomcat | =9.0.0-milestone9 | |
| Microsoft Windows | ||
| All of | ||
| Any of | ||
| Apache Tomcat | >=7.0.0<=7.0.93 | |
| Apache Tomcat | >=8.5.0<=8.5.39 | |
| Apache Tomcat | >=9.0.1<=9.0.17 | |
| Apache Tomcat | =9.0.0-milestone1 | |
| Apache Tomcat | =9.0.0-milestone10 | |
| Apache Tomcat | =9.0.0-milestone11 | |
| Apache Tomcat | =9.0.0-milestone12 | |
| Apache Tomcat | =9.0.0-milestone13 | |
| Apache Tomcat | =9.0.0-milestone14 | |
| Apache Tomcat | =9.0.0-milestone15 | |
| Apache Tomcat | =9.0.0-milestone16 | |
| Apache Tomcat | =9.0.0-milestone17 | |
| Apache Tomcat | =9.0.0-milestone18 | |
| Apache Tomcat | =9.0.0-milestone19 | |
| Apache Tomcat | =9.0.0-milestone2 | |
| Apache Tomcat | =9.0.0-milestone20 | |
| Apache Tomcat | =9.0.0-milestone21 | |
| Apache Tomcat | =9.0.0-milestone22 | |
| Apache Tomcat | =9.0.0-milestone23 | |
| Apache Tomcat | =9.0.0-milestone24 | |
| Apache Tomcat | =9.0.0-milestone25 | |
| Apache Tomcat | =9.0.0-milestone26 | |
| Apache Tomcat | =9.0.0-milestone3 | |
| Apache Tomcat | =9.0.0-milestone4 | |
| Apache Tomcat | =9.0.0-milestone5 | |
| Apache Tomcat | =9.0.0-milestone6 | |
| Apache Tomcat | =9.0.0-milestone7 | |
| Apache Tomcat | =9.0.0-milestone8 | |
| Apache Tomcat | =9.0.0-milestone9 | |
| Microsoft Windows | ||
| Apache Tomcat | >=7.0.0<=7.0.93 | |
| Apache Tomcat | >=8.5.0<=8.5.39 | |
| Apache Tomcat | >=9.0.1<=9.0.17 | |
| Apache Tomcat | =9.0.0-m1 | |
| Apache Tomcat | =9.0.0-m10 | |
| Apache Tomcat | =9.0.0-m11 | |
| Apache Tomcat | =9.0.0-m12 | |
| Apache Tomcat | =9.0.0-m13 | |
| Apache Tomcat | =9.0.0-m14 | |
| Apache Tomcat | =9.0.0-m15 | |
| Apache Tomcat | =9.0.0-m16 | |
| Apache Tomcat | =9.0.0-m17 | |
| Apache Tomcat | =9.0.0-m18 | |
| Apache Tomcat | =9.0.0-m19 | |
| Apache Tomcat | =9.0.0-m2 | |
| Apache Tomcat | =9.0.0-m20 | |
| Apache Tomcat | =9.0.0-m21 | |
| Apache Tomcat | =9.0.0-m22 | |
| Apache Tomcat | =9.0.0-m23 | |
| Apache Tomcat | =9.0.0-m24 | |
| Apache Tomcat | =9.0.0-m25 | |
| Apache Tomcat | =9.0.0-m26 | |
| Apache Tomcat | =9.0.0-m3 | |
| Apache Tomcat | =9.0.0-m4 | |
| Apache Tomcat | =9.0.0-m5 | |
| Apache Tomcat | =9.0.0-m6 | |
| Apache Tomcat | =9.0.0-m7 | |
| Apache Tomcat | =9.0.0-m8 | |
| Apache Tomcat | =9.0.0-m9 | |
| Microsoft Windows | ||
| redhat/jws5-ecj | <0:4.12.0-1.redhat_1.1.el6 | 0:4.12.0-1.redhat_1.1.el6 |
| redhat/jws5-javapackages-tools | <0:3.4.1-5.15.11.el6 | 0:3.4.1-5.15.11.el6 |
| redhat/jws5-jboss-logging | <0:3.3.2-1.Final_redhat_00001.1.el6 | 0:3.3.2-1.Final_redhat_00001.1.el6 |
| redhat/jws5-tomcat | <0:9.0.21-10.redhat_4.1.el6 | 0:9.0.21-10.redhat_4.1.el6 |
| redhat/jws5-tomcat-native | <0:1.2.21-34.redhat_34.el6 | 0:1.2.21-34.redhat_34.el6 |
| redhat/jws5-tomcat-vault | <0:1.1.8-1.Final_redhat_1.1.el6 | 0:1.1.8-1.Final_redhat_1.1.el6 |
| redhat/jws5-ecj | <0:4.12.0-1.redhat_1.1.el7 | 0:4.12.0-1.redhat_1.1.el7 |
| redhat/jws5-javapackages-tools | <0:3.4.1-5.15.11.el7 | 0:3.4.1-5.15.11.el7 |
| redhat/jws5-jboss-logging | <0:3.3.2-1.Final_redhat_00001.1.el7 | 0:3.3.2-1.Final_redhat_00001.1.el7 |
| redhat/jws5-tomcat | <0:9.0.21-10.redhat_4.1.el7 | 0:9.0.21-10.redhat_4.1.el7 |
| redhat/jws5-tomcat-native | <0:1.2.21-34.redhat_34.el7 | 0:1.2.21-34.redhat_34.el7 |
| redhat/jws5-tomcat-vault | <0:1.1.8-1.Final_redhat_1.1.el7 | 0:1.1.8-1.Final_redhat_1.1.el7 |
| redhat/jws5-ecj | <0:4.12.0-1.redhat_1.1.el8 | 0:4.12.0-1.redhat_1.1.el8 |
| redhat/jws5-javapackages-tools | <0:3.4.1-5.15.11.el8 | 0:3.4.1-5.15.11.el8 |
| redhat/jws5-jboss-logging | <0:3.3.2-1.Final_redhat_00001.1.el8 | 0:3.3.2-1.Final_redhat_00001.1.el8 |
| redhat/jws5-tomcat | <0:9.0.21-10.redhat_4.1.el8 | 0:9.0.21-10.redhat_4.1.el8 |
| redhat/jws5-tomcat-native | <0:1.2.21-34.redhat_34.el8 | 0:1.2.21-34.redhat_34.el8 |
| redhat/jws5-tomcat-vault | <0:1.1.8-1.Final_redhat_1.1.el8 | 0:1.1.8-1.Final_redhat_1.1.el8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-0232
- https://access.redhat.com/errata/RHSA-2019:1712
- https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/
- https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html
- https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/52ffb9fbf661245386a83a661183d13f1de2e5779fa23837a08e02ac@%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/5f297a4b9080b5f65a05bc139596d0e437d6a539b25e31d29d028767@%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/673b6148d92cd7bc99ea2dcf85ad75d57da44fc322d51f37fb529a2a@%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/96849486813a95dfd542e1618b7923ca945508aaf4a4341f674d83e3@%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35@%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/dd4b325cdb261183dbf5ce913c102920a8f09c26dae666a98309165b@%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c@%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
- https://security.netapp.com/advisory/ntap-20190419-0001/
- https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/
- https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-784
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.synology.com/security/advisory/Synology_SA_19_17
- https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/
- http://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2019/May/4
- https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/52ffb9fbf661245386a83a661183d13f1de2e5779fa23837a08e02ac%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/5f297a4b9080b5f65a05bc139596d0e437d6a539b25e31d29d028767%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/673b6148d92cd7bc99ea2dcf85ad75d57da44fc322d51f37fb529a2a%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/96849486813a95dfd542e1618b7923ca945508aaf4a4341f674d83e3%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/dd4b325cdb261183dbf5ce913c102920a8f09c26dae666a98309165b%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
- https://web.archive.org/web/20200227030103/http://www.securityfocus.com/bid/107906
- https://github.com/advisories/GHSA-8vmx-qmch-mpqg (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/159398
- https://www.ibm.com/support/pages/node/6320835 (Advisory)
- http://www.securityfocus.com/bid/107906
- http://tomcat.apache.org/security-7.html
- http://tomcat.apache.org/security-8.html
- http://tomcat.apache.org/security-9.html
- https://github.com/apache/tomcat/commit/7f0221b
- https://access.redhat.com/security/cve/cve-2019-0232
- https://bugzilla.redhat.com/show_bug.cgi?id=1701056
- https://www.cve.org/CVERecord?id=CVE-2019-0232 https://nvd.nist.gov/vuln/detail/CVE-2019-0232
- https://access.redhat.com/errata/RHSA-2019:3929
Frequently Asked Questions
What is the vulnerability ID for this flaw?
The vulnerability ID for this flaw is CVE-2019-0232.
What is the severity level of CVE-2019-0232?
The severity level of CVE-2019-0232 is high.
Which versions of Apache Tomcat are affected by CVE-2019-0232?
Apache Tomcat versions 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93 are affected by CVE-2019-0232.
How can this vulnerability be exploited?
This vulnerability can be exploited through Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows.
Where can I find more information about CVE-2019-0232?
More information about CVE-2019-0232 can be found on the Apache Tomcat security page: [http://tomcat.apache.org/security-7.html](http://tomcat.apache.org/security-7.html), [http://tomcat.apache.org/security-8.html](http://tomcat.apache.org/security-8.html), [http://tomcat.apache.org/security-9.html](http://tomcat.apache.org/security-9.html).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/github-advisory
- alias/GHSA-8vmx-qmch-mpqg
- alias/CVE-2019-0232
- collector/github-advisory-latest
- collector/ibm-support
- collector/nvd-api
- collector/nvd-cve
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/redhat-cve
- package-manager/maven
- vendor/ibm
- canonical/ibm gde
- version/ibm gde/3.0.0.2
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/7.0.0
- version/apache tomcat/7.0.93
- version/apache tomcat/8.5.0
- version/apache tomcat/8.5.39
- version/apache tomcat/9.0.1
- version/apache tomcat/9.0.17
- version/apache tomcat/9.0.0-milestone1
- version/apache tomcat/9.0.0-milestone10
- version/apache tomcat/9.0.0-milestone11
- version/apache tomcat/9.0.0-milestone12
- version/apache tomcat/9.0.0-milestone13
- version/apache tomcat/9.0.0-milestone14
- version/apache tomcat/9.0.0-milestone15
- version/apache tomcat/9.0.0-milestone16
- version/apache tomcat/9.0.0-milestone17
- version/apache tomcat/9.0.0-milestone18
- version/apache tomcat/9.0.0-milestone19
- version/apache tomcat/9.0.0-milestone2
- version/apache tomcat/9.0.0-milestone20
- version/apache tomcat/9.0.0-milestone21
- version/apache tomcat/9.0.0-milestone22
- version/apache tomcat/9.0.0-milestone23
- version/apache tomcat/9.0.0-milestone24
- version/apache tomcat/9.0.0-milestone25
- version/apache tomcat/9.0.0-milestone26
- version/apache tomcat/9.0.0-milestone3
- version/apache tomcat/9.0.0-milestone4
- version/apache tomcat/9.0.0-milestone5
- version/apache tomcat/9.0.0-milestone6
- version/apache tomcat/9.0.0-milestone7
- version/apache tomcat/9.0.0-milestone8
- version/apache tomcat/9.0.0-milestone9
- vendor/microsoft
- canonical/microsoft windows
- version/apache tomcat/9.0.0-m1
- version/apache tomcat/9.0.0-m10
- version/apache tomcat/9.0.0-m11
- version/apache tomcat/9.0.0-m12
- version/apache tomcat/9.0.0-m13
- version/apache tomcat/9.0.0-m14
- version/apache tomcat/9.0.0-m15
- version/apache tomcat/9.0.0-m16
- version/apache tomcat/9.0.0-m17
- version/apache tomcat/9.0.0-m18
- version/apache tomcat/9.0.0-m19
- version/apache tomcat/9.0.0-m2
- version/apache tomcat/9.0.0-m20
- version/apache tomcat/9.0.0-m21
- version/apache tomcat/9.0.0-m22
- version/apache tomcat/9.0.0-m23
- version/apache tomcat/9.0.0-m24
- version/apache tomcat/9.0.0-m25
- version/apache tomcat/9.0.0-m26
- version/apache tomcat/9.0.0-m3
- version/apache tomcat/9.0.0-m4
- version/apache tomcat/9.0.0-m5
- version/apache tomcat/9.0.0-m6
- version/apache tomcat/9.0.0-m7
- version/apache tomcat/9.0.0-m8
- version/apache tomcat/9.0.0-m9
- package-manager/redhat