First published: Wed Apr 10 2019(Updated: )
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
Credit: security@apache.org security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
maven/org.apache.tomcat.embed:tomcat-embed-core | >=9.0.0.M1<9.0.17 | 9.0.17 |
maven/org.apache.tomcat.embed:tomcat-embed-core | >=7.0.0<7.0.94 | 7.0.94 |
maven/org.apache.tomcat.embed:tomcat-embed-core | >=8.0.0<8.5.40 | 8.5.40 |
IBM GDE | <=3.0.0.2 | |
All of | ||
Any of | ||
Apache Tomcat | >=7.0.0<=7.0.93 | |
Apache Tomcat | >=8.5.0<=8.5.39 | |
Apache Tomcat | >=9.0.1<=9.0.17 | |
Apache Tomcat | =9.0.0-milestone1 | |
Apache Tomcat | =9.0.0-milestone10 | |
Apache Tomcat | =9.0.0-milestone11 | |
Apache Tomcat | =9.0.0-milestone12 | |
Apache Tomcat | =9.0.0-milestone13 | |
Apache Tomcat | =9.0.0-milestone14 | |
Apache Tomcat | =9.0.0-milestone15 | |
Apache Tomcat | =9.0.0-milestone16 | |
Apache Tomcat | =9.0.0-milestone17 | |
Apache Tomcat | =9.0.0-milestone18 | |
Apache Tomcat | =9.0.0-milestone19 | |
Apache Tomcat | =9.0.0-milestone2 | |
Apache Tomcat | =9.0.0-milestone20 | |
Apache Tomcat | =9.0.0-milestone21 | |
Apache Tomcat | =9.0.0-milestone22 | |
Apache Tomcat | =9.0.0-milestone23 | |
Apache Tomcat | =9.0.0-milestone24 | |
Apache Tomcat | =9.0.0-milestone25 | |
Apache Tomcat | =9.0.0-milestone26 | |
Apache Tomcat | =9.0.0-milestone3 | |
Apache Tomcat | =9.0.0-milestone4 | |
Apache Tomcat | =9.0.0-milestone5 | |
Apache Tomcat | =9.0.0-milestone6 | |
Apache Tomcat | =9.0.0-milestone7 | |
Apache Tomcat | =9.0.0-milestone8 | |
Apache Tomcat | =9.0.0-milestone9 | |
Microsoft Windows | ||
All of | ||
Any of | ||
Apache Tomcat | >=7.0.0<=7.0.93 | |
Apache Tomcat | >=8.5.0<=8.5.39 | |
Apache Tomcat | >=9.0.1<=9.0.17 | |
Apache Tomcat | =9.0.0-milestone1 | |
Apache Tomcat | =9.0.0-milestone10 | |
Apache Tomcat | =9.0.0-milestone11 | |
Apache Tomcat | =9.0.0-milestone12 | |
Apache Tomcat | =9.0.0-milestone13 | |
Apache Tomcat | =9.0.0-milestone14 | |
Apache Tomcat | =9.0.0-milestone15 | |
Apache Tomcat | =9.0.0-milestone16 | |
Apache Tomcat | =9.0.0-milestone17 | |
Apache Tomcat | =9.0.0-milestone18 | |
Apache Tomcat | =9.0.0-milestone19 | |
Apache Tomcat | =9.0.0-milestone2 | |
Apache Tomcat | =9.0.0-milestone20 | |
Apache Tomcat | =9.0.0-milestone21 | |
Apache Tomcat | =9.0.0-milestone22 | |
Apache Tomcat | =9.0.0-milestone23 | |
Apache Tomcat | =9.0.0-milestone24 | |
Apache Tomcat | =9.0.0-milestone25 | |
Apache Tomcat | =9.0.0-milestone26 | |
Apache Tomcat | =9.0.0-milestone3 | |
Apache Tomcat | =9.0.0-milestone4 | |
Apache Tomcat | =9.0.0-milestone5 | |
Apache Tomcat | =9.0.0-milestone6 | |
Apache Tomcat | =9.0.0-milestone7 | |
Apache Tomcat | =9.0.0-milestone8 | |
Apache Tomcat | =9.0.0-milestone9 | |
Microsoft Windows | ||
Apache Tomcat | >=7.0.0<=7.0.93 | |
Apache Tomcat | >=8.5.0<=8.5.39 | |
Apache Tomcat | >=9.0.1<=9.0.17 | |
Apache Tomcat | =9.0.0-m1 | |
Apache Tomcat | =9.0.0-m10 | |
Apache Tomcat | =9.0.0-m11 | |
Apache Tomcat | =9.0.0-m12 | |
Apache Tomcat | =9.0.0-m13 | |
Apache Tomcat | =9.0.0-m14 | |
Apache Tomcat | =9.0.0-m15 | |
Apache Tomcat | =9.0.0-m16 | |
Apache Tomcat | =9.0.0-m17 | |
Apache Tomcat | =9.0.0-m18 | |
Apache Tomcat | =9.0.0-m19 | |
Apache Tomcat | =9.0.0-m2 | |
Apache Tomcat | =9.0.0-m20 | |
Apache Tomcat | =9.0.0-m21 | |
Apache Tomcat | =9.0.0-m22 | |
Apache Tomcat | =9.0.0-m23 | |
Apache Tomcat | =9.0.0-m24 | |
Apache Tomcat | =9.0.0-m25 | |
Apache Tomcat | =9.0.0-m26 | |
Apache Tomcat | =9.0.0-m3 | |
Apache Tomcat | =9.0.0-m4 | |
Apache Tomcat | =9.0.0-m5 | |
Apache Tomcat | =9.0.0-m6 | |
Apache Tomcat | =9.0.0-m7 | |
Apache Tomcat | =9.0.0-m8 | |
Apache Tomcat | =9.0.0-m9 | |
Microsoft Windows | ||
redhat/jws5-ecj | <0:4.12.0-1.redhat_1.1.el6 | 0:4.12.0-1.redhat_1.1.el6 |
redhat/jws5-javapackages-tools | <0:3.4.1-5.15.11.el6 | 0:3.4.1-5.15.11.el6 |
redhat/jws5-jboss-logging | <0:3.3.2-1.Final_redhat_00001.1.el6 | 0:3.3.2-1.Final_redhat_00001.1.el6 |
redhat/jws5-tomcat | <0:9.0.21-10.redhat_4.1.el6 | 0:9.0.21-10.redhat_4.1.el6 |
redhat/jws5-tomcat-native | <0:1.2.21-34.redhat_34.el6 | 0:1.2.21-34.redhat_34.el6 |
redhat/jws5-tomcat-vault | <0:1.1.8-1.Final_redhat_1.1.el6 | 0:1.1.8-1.Final_redhat_1.1.el6 |
redhat/jws5-ecj | <0:4.12.0-1.redhat_1.1.el7 | 0:4.12.0-1.redhat_1.1.el7 |
redhat/jws5-javapackages-tools | <0:3.4.1-5.15.11.el7 | 0:3.4.1-5.15.11.el7 |
redhat/jws5-jboss-logging | <0:3.3.2-1.Final_redhat_00001.1.el7 | 0:3.3.2-1.Final_redhat_00001.1.el7 |
redhat/jws5-tomcat | <0:9.0.21-10.redhat_4.1.el7 | 0:9.0.21-10.redhat_4.1.el7 |
redhat/jws5-tomcat-native | <0:1.2.21-34.redhat_34.el7 | 0:1.2.21-34.redhat_34.el7 |
redhat/jws5-tomcat-vault | <0:1.1.8-1.Final_redhat_1.1.el7 | 0:1.1.8-1.Final_redhat_1.1.el7 |
redhat/jws5-ecj | <0:4.12.0-1.redhat_1.1.el8 | 0:4.12.0-1.redhat_1.1.el8 |
redhat/jws5-javapackages-tools | <0:3.4.1-5.15.11.el8 | 0:3.4.1-5.15.11.el8 |
redhat/jws5-jboss-logging | <0:3.3.2-1.Final_redhat_00001.1.el8 | 0:3.3.2-1.Final_redhat_00001.1.el8 |
redhat/jws5-tomcat | <0:9.0.21-10.redhat_4.1.el8 | 0:9.0.21-10.redhat_4.1.el8 |
redhat/jws5-tomcat-native | <0:1.2.21-34.redhat_34.el8 | 0:1.2.21-34.redhat_34.el8 |
redhat/jws5-tomcat-vault | <0:1.1.8-1.Final_redhat_1.1.el8 | 0:1.1.8-1.Final_redhat_1.1.el8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this flaw is CVE-2019-0232.
The severity level of CVE-2019-0232 is high.
Apache Tomcat versions 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39, and 7.0.0 to 7.0.93 are affected by CVE-2019-0232.
This vulnerability can be exploited through Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows.
More information about CVE-2019-0232 can be found on the Apache Tomcat security page: [http://tomcat.apache.org/security-7.html](http://tomcat.apache.org/security-7.html), [http://tomcat.apache.org/security-8.html](http://tomcat.apache.org/security-8.html), [http://tomcat.apache.org/security-9.html](http://tomcat.apache.org/security-9.html).