The new versions of the Tomcat application server
The remote code execution vulnerability, tracked as CVE-2019-0232, resides in the Common Gateway Interface (CGI) Servlet when running on Windows with enableCmdLineArguments enabled. The flaw ties the way the Java Runtime Environment (JRE) passes command line arguments to Windows.
“When running on Windows with
The vulnerability has been rated as only important because the CGI Servlet is disabled by default and its option enableCmdLineArguments is disabled by default in Tomcat 9.0.x.
To mitigate the RCE vulnerability, the CGI Servlet enableCmdLineArguments option will now be disabled by default in all versions of Apache Tomcat.
Technical details about the JRE behaviour were provided in a blog post published by Markus Wulftange.
Below the list of the affected versions of the Tomcat application server:
The following Tomcat versions are not affected by the flaw:
The vulnerability was reported to the Apache Tomcat security team by an unnamed security expert on 3rd March 2019 and was publicly disclosed on 10 April 2019 after the release of the new updated versions (Tomcat version 9.0.19, version 8.5.40 and version 7.0.93).
If you are using a Tomcat application server don’t forget to install the software updates as soon as possible. In case for some reason you cannot apply the patches immediately, you should check that default enableCmdLineArguments value is disabled.