A remote code execution (RCE) vulnerability (CVE-2019-0232) was found in Apache Tomcat, an open source Java web application server. When Tomcat runs on Windows Operating System (OS) with the “enableCmdLineArguments” enabled, its Common Gateway Interface (CGI) Servlet is found to be vulnerable to RCE due to a flaw in how the Java Runtime Environment (JRE) passes command line arguments to the underlying OS.
Successful exploitation of the vulnerability allows a remote attacker to execute arbitrary code on the Windows OS, which can lead to a malicious takeover of the entire system.
The following versions of Tomcat running on Windows OS are vulnerable:
- 9.0.0.M1 to 9.0.17
- 8.5.0 to 8.5.39
- 7.0.0 to 7.0.93
System Administrators should immediately verify their installations, look out for and upgrade to the corresponding patched versions below at http://tomcat.apache.org/ when released:
- Apache Tomcat 9.0.18
- Apache Tomcat 8.5.40
- Apache Tomcat 7.0.94
An alternative mitigation measure is to change the “enableCmdLineArguments” default value from “true” to “false”.