CVE-2019-0232

Impact:
Important
Public Date:
2019-04-10
CWE:
CWE-20
Bugzilla:
1701056: CVE-2019-0232 tomcat: Remote Code Execution on Windows

The MITRE CVE dictionary describes this issue as:

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

Find out more about CVE-2019-0232 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This vulnerability is specific to the Windows platform's treatment of file names and how they must be quoted. Tomcat running on Linux hosts is not affected.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 5.9
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux rh-java-common-tomcat Not affected
Red Hat OpenShift Application Runtimes 1.0 springboot Not affected
Red Hat JBoss Web Server 5 tomcat Affected
Red Hat JBoss Web Server 3 tomcat7 Affected
Red Hat JBoss Web Server 3 tomcat8 Affected
Red Hat JBoss Operations Network 3 jbossweb Not affected
Red Hat JBoss Fuse Service Works 6 jbossweb Not affected
Red Hat JBoss Fuse 7 tomcat Not affected
Red Hat JBoss Fuse 6 tomcat Not affected
Red Hat JBoss Enterprise SOA Platform 5 jbossweb Not affected
Red Hat JBoss EWS 2 tomcat7 Will not fix
Red Hat JBoss EWS 2 tomcat6 Will not fix
Red Hat JBoss EAP 6 jbossweb Not affected
Red Hat JBoss EAP 5 jbossweb Not affected
Red Hat JBoss Data Virtualization 6 jbossweb Not affected
Red Hat JBoss Data Grid 7 tomcat Not affected
Red Hat JBoss Data Grid 6 jbossweb Not affected
Red Hat JBoss BRMS 6 tomcat Not affected
Red Hat JBoss BRMS 5 jbossweb Not affected
Red Hat JBoss BPMS 6 tomcat Not affected
Red Hat Enterprise Linux 8 pki-deps:10.6/pki-servlet-container Not affected
Red Hat Enterprise Linux 7 tomcat Not affected
Red Hat Enterprise Linux 6 tomcat6 Not affected
Last Modified

CVE description copyright © 2017, The MITRE Corporation