CVE-2019-0232 - OpenCVE

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Tomcat
Microsoft	Windows
Redhat	Jboss Enterprise Web Server

Configuration 1 [-]

AND

OR	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat::::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone1::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone10::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone11::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone12::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone13::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone14::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone15::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone16::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone17::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone18::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone19::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone2::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone20::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone21::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone22::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone23::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone24::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone25::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone26::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone3::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone4::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone5::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone6::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone7::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone8::::::
	cpe:2.3:a:apache:tomcat:9.0.0:milestone9::::::

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat JBoss Web Server 3.1
tomcat7	cpe:/a:redhat:jboss_enterprise_web_server:3.1	RHSA-2019:1712	2019-07-09T00:00:00Z
tomcat8	cpe:/a:redhat:jboss_enterprise_web_server:3.1	RHSA-2019:1712	2019-07-09T00:00:00Z
Red Hat JBoss Web Server 5.2 on RHEL 6
jws5-ecj-0:4.12.0-1.redhat_1.1.el6jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-javapackages-tools-0:3.4.1-5.15.11.el6jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el6jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el6jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-tomcat-0:9.0.21-10.redhat_4.1.el6jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-tomcat-native-0:1.2.21-34.redhat_34.el6jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el6jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6	RHSA-2019:3929	2019-11-20T00:00:00Z
Red Hat JBoss Web Server 5.2 on RHEL 7
jws5-ecj-0:4.12.0-1.redhat_1.1.el7jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-javapackages-tools-0:3.4.1-5.15.11.el7jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el7jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el7jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-tomcat-0:9.0.21-10.redhat_4.1.el7jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-tomcat-native-0:1.2.21-34.redhat_34.el7jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el7jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7	RHSA-2019:3929	2019-11-20T00:00:00Z
Red Hat JBoss Web Server 5.2 on RHEL 8
jws5-ecj-0:4.12.0-1.redhat_1.1.el8jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-javapackages-tools-0:3.4.1-5.15.11.el8jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el8jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el8jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-tomcat-0:9.0.21-10.redhat_4.1.el8jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-tomcat-native-0:1.2.21-34.redhat_34.el8jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8	RHSA-2019:3929	2019-11-20T00:00:00Z
jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el8jws	cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8	RHSA-2019:3929	2019-11-20T00:00:00Z

References

Link	Providers
http://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html
http://seclists.org/fulldisclosure/2019/May/4
http://www.securityfocus.com/bid/107906
https://access.redhat.com/errata/RHSA-2019:1712
https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/
https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html
https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/52ffb9fbf661245386a83a661183d13f1de2e5779fa23837a08e02ac%40%3Ccommits.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/5f297a4b9080b5f65a05bc139596d0e437d6a539b25e31d29d028767%40%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/673b6148d92cd7bc99ea2dcf85ad75d57da44fc322d51f37fb529a2a%40%3Ccommits.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/96849486813a95dfd542e1618b7923ca945508aaf4a4341f674d83e3%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35%40%3Ccommits.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/dd4b325cdb261183dbf5ce913c102920a8f09c26dae666a98309165b%40%3Cnotifications.ofbiz.apache.org%3E
https://lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
https://nvd.nist.gov/vuln/detail/CVE-2019-0232
https://security.netapp.com/advisory/ntap-20190419-0001/
https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/
https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-784
https://www.cve.org/CVERecord?id=CVE-2019-0232
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.synology.com/security/advisory/Synology_SA_19_17
https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2019-04-15T14:23:52

Updated: 2024-08-04T17:44:15.941Z

Reserved: 2018-11-14T00:00:00

Link: CVE-2019-0232

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-04-15T15:29:00.420

Modified: 2023-12-08T16:41:18.860

Link: CVE-2019-0232

Redhat

Severity : Important

Publid Date: 2019-04-10T00:00:00Z

Links: CVE-2019-0232 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object