[SingCERT] Remote Code Execution Vulnerability (CVE-2019-0232) in Apache Tomcat

Published on Friday, 12 April 2019 14:57

Background

A remote code execution (RCE) vulnerability (CVE-2019-0232) was found in Apache Tomcat, an open source Java web application server. When Tomcat runs on Windows Operating System (OS) with the “enableCmdLineArguments” enabled, its Common Gateway Interface (CGI) Servlet is found to be vulnerable to RCE due to a flaw in how the Java Runtime Environment (JRE) passes command line arguments to the underlying OS.

Impact

Successful exploitation of the vulnerability allows a remote attacker to execute arbitrary code on the Windows OS, which can lead to a malicious takeover of the entire system.

Affected Versions

The following versions of Tomcat running on Windows OS are vulnerable:

  • 9.0.0.M1 to 9.0.17
  • 8.5.0 to 8.5.39
  • 7.0.0 to 7.0.93
Recommendations

System Administrators should immediately verify their installations, look out for and upgrade to the corresponding patched versions below at http://tomcat.apache.org/ when released:

  • Apache Tomcat 9.0.18
  • Apache Tomcat 8.5.40
  • Apache Tomcat 7.0.94

An alternative mitigation measure is to change the “enableCmdLineArguments” default value from “true” to “false”. 

References

https://markmail.org/message/2fblwm7tt75wn6ch
http://tomcat.apache.org/security-9.html
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-7.html