[ALERT] ADVISORY ON REMOTE CODE EXECUTION (CVE-2019-0232) IN APACHE TOMCAT

Submitted by admin on Mon, 04/15/2019 - 16:55
Background

Apache Software Foundation has released security updates for Apache Tomcat to address vulnerability. A Remote Code Execution vulnerability (CVE-2019-0232) resides in the Common Gateway Interface (CGI) Servlet when running on Windows with enableCMDLineArguments enabled. Exploitation of this vulnerability could allow a remote attacker to take control of an affected system.

Affected System
  1. Apache Tomcat 9.0.0.M1 to 9.0.17
  2. Apache Tomcat 8.5.0 to 8.5.39
  3. Apache Tomcat 7.0.0. to 7.0.93
Recommendations
  • System Administrators of affected versions should immediately look out for and upgrade to:
  • Apache Tomcat 9.0.18 or later when released
  • Apache Tomcat 8.5.40 or later when released
  • Apache Tomcat 7.0.93 or later when released

 

  • Ensure the CGI Servlet initialisation parameter enableCmdLineArguments is set to false

 

  • Review Apache Security advisory for CVE-2019-0232 for updates