https://bugzilla.redhat.com/show_bug.cgi?id=1701056
Bug ID: 1701056 Summary: CVE-2019-0232 tomcat: Remote Code Execution on Windows Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=important,public=20190410,reported=20190416,sou rce=cve,cvss3=5.9/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N /I:N/A:H,cwe=CWE-20,fedora-all/tomcat=notaffected,rhsc l-3/rh-java-common-tomcat=notaffected,bpms-6/tomcat=no taffected,brms-6/tomcat=notaffected,epel-all/tomcat=no taffected,brms-5/jbossweb=notaffected,eap-6/jbossweb=n otaffected,eap-5/jbossweb=notaffected,jdg-6/jbossweb=n otaffected,jdg-7/tomcat=notaffected,jdv-6/jbossweb=not affected,fuse-6/tomcat=notaffected,fuse-7/tomcat=notaf fected,fsw-6/jbossweb=notaffected,soap-5/jbossweb=nota ffected,springboot-1/tomcat=notaffected,jbews-2/tomcat 6=new,jws-3/tomcat7=new,rhel-7/tomcat=notaffected,jbew s-2/tomcat7=new,jws-3/tomcat8=new,rhel-6/tomcat6=notaf fected,jon-3/jbossweb=notaffected,jws-5/tomcat=new,rhe l-8/pki-deps:10.6/pki-servlet-container=notaffected Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: lpardo@redhat.com CC: aileenc@redhat.com, alazarot@redhat.com, alee@redhat.com, anstephe@redhat.com, avibelli@redhat.com, bgeorges@redhat.com, bmaxwell@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, cmoulliard@redhat.com, coolsvap@gmail.com, csutherl@redhat.com, darran.lofthouse@redhat.com, dimitris@redhat.com, dosoudil@redhat.com, drieden@redhat.com, etirelli@redhat.com, fgavrilo@redhat.com, gvarsami@redhat.com, gzaronik@redhat.com, hhorak@redhat.com, ibek@redhat.com, ikanello@redhat.com, ivan.afonichev@gmail.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jclere@redhat.com, jcoleman@redhat.com, jdoyle@redhat.com, jochrist@redhat.com, jolee@redhat.com, jondruse@redhat.com, jorton@redhat.com, jpallich@redhat.com, jschatte@redhat.com, jshepherd@redhat.com, jstastny@redhat.com, kconner@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, kverlaen@redhat.com, ldimaggi@redhat.com, lgao@redhat.com, loleary@redhat.com, lpetrovi@redhat.com, lthon@redhat.com, mbabacek@redhat.com, mizdebsk@redhat.com, mszynkie@redhat.com, myarboro@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pgallagh@redhat.com, pgier@redhat.com, pjurak@redhat.com, ppalaga@redhat.com, psakar@redhat.com, pslavice@redhat.com, rhcs-maint@redhat.com, rnetuka@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, rwagner@redhat.com, rzhang@redhat.com, sdaley@redhat.com, spinder@redhat.com, tcunning@redhat.com, theute@redhat.com, tkirby@redhat.com, trogers@redhat.com, twalsh@redhat.com, vhalbert@redhat.com, vtunka@redhat.com, weli@redhat.com Blocks: 1700240 Target Milestone: --- Classification: Other Blocks: 1700240
A vulnerability was found in in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93. When running on Windows with enableCmdLineArguments enabled, the CGI Servlet is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability).
References: http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-9.html
Upstream Patch: https://github.com/apache/tomcat/commit/7f0221b
https://bugzilla.redhat.com/show_bug.cgi?id=1701056
Kunjan Rathod krathod@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |90410,reported=20190416,sou |90410,reported=20190416,sou |rce=cve,cvss3=5.9/CVSS:3.0/ |rce=cve,cvss3=5.9/CVSS:3.0/ |AV:N/AC:H/PR:N/UI:N/S:U/C:N |AV:N/AC:H/PR:N/UI:N/S:U/C:N |/I:N/A:H,cwe=CWE-20,fedora- |/I:N/A:H,cwe=CWE-20,fedora- |all/tomcat=notaffected,rhsc |all/tomcat=notaffected,rhsc |l-3/rh-java-common-tomcat=n |l-3/rh-java-common-tomcat=n |otaffected,bpms-6/tomcat=no |otaffected,bpms-6/tomcat=no |taffected,brms-6/tomcat=not |taffected,brms-6/tomcat=not |affected,epel-all/tomcat=no |affected,epel-all/tomcat=no |taffected,brms-5/jbossweb=n |taffected,brms-5/jbossweb=n |otaffected,eap-6/jbossweb=n |otaffected,eap-6/jbossweb=n |otaffected,eap-5/jbossweb=n |otaffected,eap-5/jbossweb=n |otaffected,jdg-6/jbossweb=n |otaffected,jdg-6/jbossweb=n |otaffected,jdg-7/tomcat=not |otaffected,jdg-7/tomcat=not |affected,jdv-6/jbossweb=not |affected,jdv-6/jbossweb=not |affected,fuse-6/tomcat=nota |affected,fuse-6/tomcat=nota |ffected,fuse-7/tomcat=notaf |ffected,fuse-7/tomcat=notaf |fected,fsw-6/jbossweb=notaf |fected,fsw-6/jbossweb=notaf |fected,soap-5/jbossweb=nota |fected,soap-5/jbossweb=nota |ffected,springboot-1/tomcat |ffected,springboot-1/tomcat |=notaffected,jbews-2/tomcat |=notaffected,jbews-2/tomcat |6=new,jws-3/tomcat7=new,rhe |6=new,jws-3/tomcat7=affecte |l-7/tomcat=notaffected,jbew |d,rhel-7/tomcat=notaffected |s-2/tomcat7=new,jws-3/tomca |,jbews-2/tomcat7=new,jws-3/ |t8=new,rhel-6/tomcat6=notaf |tomcat8=affected,rhel-6/tom |fected,jon-3/jbossweb=notaf |cat6=notaffected,jon-3/jbos |fected,jws-5/tomcat=new,rhe |sweb=notaffected,jws-5/tomc |l-8/pki-deps:10.6/pki-servl |at=affected,rhel-8/pki-deps |et-container=notaffected |:10.6/pki-servlet-container | |=notaffected
https://bugzilla.redhat.com/show_bug.cgi?id=1701056
Kunjan Rathod krathod@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|krathod@redhat.com |
https://bugzilla.redhat.com/show_bug.cgi?id=1701056
--- Comment #3 from Doran Moppert dmoppert@redhat.com --- Statement:
This vulnerability is specific to the Windows platform's treatment of file names and how they must be quoted. Tomcat running on Linux hosts is not affected.
https://bugzilla.redhat.com/show_bug.cgi?id=1701056
Kunjan Rathod krathod@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |90410,reported=20190416,sou |90410,reported=20190416,sou |rce=cve,cvss3=5.9/CVSS:3.0/ |rce=cve,cvss3=5.9/CVSS:3.0/ |AV:N/AC:H/PR:N/UI:N/S:U/C:N |AV:N/AC:H/PR:N/UI:N/S:U/C:N |/I:N/A:H,cwe=CWE-20,fedora- |/I:N/A:H,cwe=CWE-20,fedora- |all/tomcat=notaffected,rhsc |all/tomcat=notaffected,rhsc |l-3/rh-java-common-tomcat=n |l-3/rh-java-common-tomcat=n |otaffected,bpms-6/tomcat=no |otaffected,bpms-6/tomcat=no |taffected,brms-6/tomcat=not |taffected,brms-6/tomcat=not |affected,epel-all/tomcat=no |affected,epel-all/tomcat=no |taffected,brms-5/jbossweb=n |taffected,brms-5/jbossweb=n |otaffected,eap-6/jbossweb=n |otaffected,eap-6/jbossweb=n |otaffected,eap-5/jbossweb=n |otaffected,eap-5/jbossweb=n |otaffected,jdg-6/jbossweb=n |otaffected,jdg-6/jbossweb=n |otaffected,jdg-7/tomcat=not |otaffected,jdg-7/tomcat=not |affected,jdv-6/jbossweb=not |affected,jdv-6/jbossweb=not |affected,fuse-6/tomcat=nota |affected,fuse-6/tomcat=nota |ffected,fuse-7/tomcat=notaf |ffected,fuse-7/tomcat=notaf |fected,fsw-6/jbossweb=notaf |fected,fsw-6/jbossweb=notaf |fected,soap-5/jbossweb=nota |fected,soap-5/jbossweb=nota |ffected,springboot-1/tomcat |ffected,springboot-1/tomcat |=notaffected,jbews-2/tomcat |=notaffected,jbews-2/tomcat |6=new,jws-3/tomcat7=affecte |6=wontfix,jws-3/tomcat7=aff |d,rhel-7/tomcat=notaffected |ected,rhel-7/tomcat=notaffe |,jbews-2/tomcat7=new,jws-3/ |cted,jbews-2/tomcat7=wontfi |tomcat8=affected,rhel-6/tom |x,jws-3/tomcat8=affected,rh |cat6=notaffected,jon-3/jbos |el-6/tomcat6=notaffected,jo |sweb=notaffected,jws-5/tomc |n-3/jbossweb=notaffected,jw |at=affected,rhel-8/pki-deps |s-5/tomcat=affected,rhel-8/ |:10.6/pki-servlet-container |pki-deps:10.6/pki-servlet-c |=notaffected |ontainer=notaffected
https://bugzilla.redhat.com/show_bug.cgi?id=1701056
--- Comment #4 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server
Via RHSA-2019:1712 https://access.redhat.com/errata/RHSA-2019:1712
https://bugzilla.redhat.com/show_bug.cgi?id=1701056
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2019:1712
https://bugzilla.redhat.com/show_bug.cgi?id=1701056
--- Doc Text *updated* by Kunjan Rathod krathod@redhat.com --- A flaw was discovered in Apache Tomcat where a Java Runtime Environment can pass a command line argument on Windows Operating System in such a way that it allows to execute arbitrary commands with the help of Tomcat’s Common Gateway Interface (CGI) Servlet making it vulnerable to Remote Code Execution.
https://bugzilla.redhat.com/show_bug.cgi?id=1701056
--- Doc Text *updated* by RaTasha Tillery-Smith rtillery@redhat.com --- A flaw was discovered in Apache Tomcat, where a Java Runtime Environment can pass a command-line argument in the Windows operating system. The execution of arbitrary commands via Tomcat’s Common Gateway Interface (CGI) Servlet, allows an attacker to perform remote code execution.
java-sig-commits@lists.fedoraproject.org