Lucene search

[email protected]NVD:CVE-2019-0232

HistoryApr 15, 2019 - 3:29 p.m.

CVE-2019-0232

2019-04-1515:29:00

CWE-78

[email protected]

web.nvd.nist.gov

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

7.1 High

AI Score

Confidence

High

0.974 High

EPSS

Percentile

99.9%

JSON

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange’s blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

Affected configurations

NVD

Node

apachetomcatRange7.0.0–7.0.93

apachetomcatRange8.5.0–8.5.39

apachetomcatRange9.0.1–9.0.17

apachetomcatMatch9.0.0milestone1

apachetomcatMatch9.0.0milestone10

apachetomcatMatch9.0.0milestone11

apachetomcatMatch9.0.0milestone12

apachetomcatMatch9.0.0milestone13

apachetomcatMatch9.0.0milestone14

apachetomcatMatch9.0.0milestone15

apachetomcatMatch9.0.0milestone16

apachetomcatMatch9.0.0milestone17

apachetomcatMatch9.0.0milestone18

apachetomcatMatch9.0.0milestone19

apachetomcatMatch9.0.0milestone2

apachetomcatMatch9.0.0milestone20

apachetomcatMatch9.0.0milestone21

apachetomcatMatch9.0.0milestone22

apachetomcatMatch9.0.0milestone23

apachetomcatMatch9.0.0milestone24

apachetomcatMatch9.0.0milestone25

apachetomcatMatch9.0.0milestone26

apachetomcatMatch9.0.0milestone3

apachetomcatMatch9.0.0milestone4

apachetomcatMatch9.0.0milestone5

apachetomcatMatch9.0.0milestone6

apachetomcatMatch9.0.0milestone7

apachetomcatMatch9.0.0milestone8

apachetomcatMatch9.0.0milestone9

AND

microsoftwindowsMatch-

References

packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html

seclists.org/fulldisclosure/2019/May/4

www.securityfocus.com/bid/107906

access.redhat.com/errata/RHSA-2019:1712

blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/

codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html

lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/52ffb9fbf661245386a83a661183d13f1de2e5779fa23837a08e02ac%40%3Ccommits.ofbiz.apache.org%3E

lists.apache.org/thread.html/5f297a4b9080b5f65a05bc139596d0e437d6a539b25e31d29d028767%40%3Cannounce.tomcat.apache.org%3E

lists.apache.org/thread.html/673b6148d92cd7bc99ea2dcf85ad75d57da44fc322d51f37fb529a2a%40%3Ccommits.ofbiz.apache.org%3E

lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/96849486813a95dfd542e1618b7923ca945508aaf4a4341f674d83e3%40%3Cnotifications.ofbiz.apache.org%3E

lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35%40%3Ccommits.ofbiz.apache.org%3E

lists.apache.org/thread.html/dd4b325cdb261183dbf5ce913c102920a8f09c26dae666a98309165b%40%3Cnotifications.ofbiz.apache.org%3E

lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E

lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E

security.netapp.com/advisory/ntap-20190419-0001/

web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/

www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-784

www.oracle.com/security-alerts/cpuapr2020.html

www.oracle.com/security-alerts/cpuApr2021.html

www.oracle.com/security-alerts/cpujan2020.html

www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

www.synology.com/security/advisory/Synology_SA_19_17

wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/