https://bugzilla.redhat.com/show_bug.cgi?id=1701056
Bug ID: 1701056 Summary: CVE-2019-0232 tomcat: Remote Code Execution on Windows Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=important,public=20190410,reported=20190416,sou rce=cve,cvss3=5.9/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N /I:N/A:H,cwe=CWE-20,fedora-all/tomcat=notaffected,rhsc l-3/rh-java-common-tomcat=notaffected,bpms-6/tomcat=no taffected,brms-6/tomcat=notaffected,epel-all/tomcat=no taffected,brms-5/jbossweb=notaffected,eap-6/jbossweb=n otaffected,eap-5/jbossweb=notaffected,jdg-6/jbossweb=n otaffected,jdg-7/tomcat=notaffected,jdv-6/jbossweb=not affected,fuse-6/tomcat=notaffected,fuse-7/tomcat=notaf fected,fsw-6/jbossweb=notaffected,soap-5/jbossweb=nota ffected,springboot-1/tomcat=notaffected,jbews-2/tomcat 6=new,jws-3/tomcat7=new,rhel-7/tomcat=notaffected,jbew s-2/tomcat7=new,jws-3/tomcat8=new,rhel-6/tomcat6=notaf fected,jon-3/jbossweb=notaffected,jws-5/tomcat=new,rhe l-8/pki-deps:10.6/pki-servlet-container=notaffected Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: lpardo@redhat.com CC: aileenc@redhat.com, alazarot@redhat.com, alee@redhat.com, anstephe@redhat.com, avibelli@redhat.com, bgeorges@redhat.com, bmaxwell@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, cmoulliard@redhat.com, coolsvap@gmail.com, csutherl@redhat.com, darran.lofthouse@redhat.com, dimitris@redhat.com, dosoudil@redhat.com, drieden@redhat.com, etirelli@redhat.com, fgavrilo@redhat.com, gvarsami@redhat.com, gzaronik@redhat.com, hhorak@redhat.com, ibek@redhat.com, ikanello@redhat.com, ivan.afonichev@gmail.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jclere@redhat.com, jcoleman@redhat.com, jdoyle@redhat.com, jochrist@redhat.com, jolee@redhat.com, jondruse@redhat.com, jorton@redhat.com, jpallich@redhat.com, jschatte@redhat.com, jshepherd@redhat.com, jstastny@redhat.com, kconner@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, kverlaen@redhat.com, ldimaggi@redhat.com, lgao@redhat.com, loleary@redhat.com, lpetrovi@redhat.com, lthon@redhat.com, mbabacek@redhat.com, mizdebsk@redhat.com, mszynkie@redhat.com, myarboro@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pgallagh@redhat.com, pgier@redhat.com, pjurak@redhat.com, ppalaga@redhat.com, psakar@redhat.com, pslavice@redhat.com, rhcs-maint@redhat.com, rnetuka@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, rwagner@redhat.com, rzhang@redhat.com, sdaley@redhat.com, spinder@redhat.com, tcunning@redhat.com, theute@redhat.com, tkirby@redhat.com, trogers@redhat.com, twalsh@redhat.com, vhalbert@redhat.com, vtunka@redhat.com, weli@redhat.com Blocks: 1700240 Target Milestone: --- Classification: Other Blocks: 1700240
A vulnerability was found in in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93. When running on Windows with enableCmdLineArguments enabled, the CGI Servlet is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability).
References: http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-9.html
Upstream Patch: https://github.com/apache/tomcat/commit/7f0221b