Vulnerabilities
Projects
Vulnerability Disclosure
About Us
Contact Us
Mend.io Vulnerability Database
What is a CVE vulnerability ID? 
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
New vulnerability? Tell us about it!
What is a WS vulnerability ID?
What is an MSC vulnerability ID?
We found results for “”
CVE-2019-0232
Date: April 15, 2019
Overview
Tomcat, an open-source Java servlet container based on Apache, is susceptible to remote code execution when used in a custom configuration. If a parameter called enableCmdLineArguments is enabled in CGI servlet, a bug can be introduced to tamper with the command line arguments. This vulnerability exploits the method used to pass the command line arguments by JRE.Details
Apache Tomcat utilizes Common Gateway Interface (CGI) protocol to pass on the command line scripts by web servers. While CGI is advantageous in that it is platform-independent, it has no vetting mechanism for the code that is passed on. Since Windows can only accept one command line string per process, applications wrap their commands into one string. A subprocess then splits the string and passes them as arguments. In Java Runtime Environment (JRE), Windows does not validate the input arguments and is vulnerable to code injection. An attacker can bug the splitting process and let Windows parse the arguments in ways unintended by the application. For example, a metacharacter like ‘&’ can be used to split the commands, if it has a preceding quotation mark (“). In this case, the malicious code, that is injected after the ‘&’ character, is executed. In the string below, systeminfo is executed as a separate command following the escaped quotation mark(“) and the ‘&’ metacharacter. The intended separation should have occurred only at the ending quotation mark. foo.bat “pwd \”&systeminfo” 0: [foo.bat] 1: [pwd] 2: [systeminfo] The vulnerability can also cause a denial of service. Because Apache Tomcat waits for the Windows process to complete, a long-running command can be deployed to trigger the denial of service. In addition to running Apache Tomcat on Windows with enableCmdLineArguments enabled, a successful exploit needs the following: executed CGI scripts are only batch files and “executable” parameter is empty “privileged” is set to “true”Affected Environments
Windows running any of the following versions of Tomcat: Tomcat 9 – versions 9.0.0.M1 through 9.0.17 Tomcat 8 – versions 8.5.0 to 8.5.39 Tomcat 7 – versions 7.0.0 to 7.0.93Remediation
Run the following patched versions of Tomcat on Windows: Apache Tomcat 9 – versions 9.0.18 or later Apache Tomcat 8 – versions 8.5.40 or later Apache Tomcat 7 – versions 7.0.93 or laterPrevention
The affected versions can be safely used if: the default configuration is used CGI is disabled CGI is enabled, but “enableCmdLineArguments” parameter is set to “false“Language: Java
Good to know:
Upgrade Version
Upgrade to version org.apache.tomcat.embed:tomcat-embed-core:7.0.94, 8.5.40, 9.0.18
| Base Score: |
|
|---|---|
| Attack Vector (AV): | Network |
| Attack Complexity (AC): | High |
| Privileges Required (PR): | None |
| User Interaction (UI): | None |
| Scope (S): | Unchanged |
| Confidentiality (C): | High |
| Integrity (I): | High |
| Availability (A): | High |
| Base Score: |
|
|---|---|
| Access Vector (AV): | Network |
| Access Complexity (AC): | Medium |
| Authentication (AU): | None |
| Confidentiality (C): | Complete |
| Integrity (I): | Complete |
| Availability (A): | Complete |
| Additional information: |