Home>Blog>The Hacker News Headlines>Apache Tomcat Patches Important Remote Code Execution Flaw
The Hacker News Headlines

Apache Tomcat Patches Important Remote Code Execution Flaw

apache tomcat server security

The Apache Software Foundation (ASF) has released new versions
of its Tomcat application server to address an important security
vulnerability that could allow a remote attacker to execute
malicious code and take control of an affected server.

Developed by ASF, Apache Tomcat is an open source web server and
servlet system, which uses several Java EE specifications such as
Java Servlet, JavaServer Pages (JSP), Expression Language, and
WebSocket to provide a “pure Java” HTTP web server environment for
Java concept to run in.

The remote code execution vulnerability (CVE-2019-0232)
resides in the Common Gateway Interface (CGI) Servlet when running
on Windows with enableCmdLineArguments enabled and occurs
due to a bug in the way the Java Runtime Environment (JRE) passes
command line arguments to Windows.
[1]

Since the CGI Servlet is disabled by default and its option
enableCmdLineArguments is disabled by default in Tomcat 9.0.x, the
remote code execution vulnerability has been rated as important and
not critical.

In response to this vulnerability, the CGI Servlet
enableCmdLineArguments option will now be disabled by default in
all versions of Apache Tomcat.

Affected Tomcat Versions

  • Apache Tomcat 9.0.0.M1 to 9.0.17
  • Apache Tomcat 8.5.0 to 8.5.39
  • Apache Tomcat 7.0.0 to 7.0.93

Unaffected Tomcat Versions

  • Apache Tomcat 9.0.18 and later
  • Apache Tomcat 8.5.40 and later
  • Apache Tomcat 7.0.94 and later

Successful exploitation of this vulnerability could allow a
remote attacker to execute an arbitrary command on a targeted
Windows server running an affected version of Apache Tomcat,
resulting in a full compromise.

The vulnerability was reported to the Apache Tomcat security team
by a security researcher (not named by the Apache Software
Foundation) on 3rd March 2019 and was made public on 10 April 2019
after the ASF released the updated versions.

This Apache vulnerability has been addressed with the release of
Tomcat version 9.0.19 (though the issue was fixed in Apache Tomcat
9.0.18, the release vote for the 9.0.18 release did not pass),
version 8.5.40 and version 7.0.93.

So, administrators are strongly recommended to apply the
software updates as soon as possible. If you are unable to apply
the patches immediately, you should ensure the CGI Servlet
initialisation parameter’s default enableCmdLineArguments value is
set to false.

References

  1. ^
    CVE-2019-0232
    (mail-archives.us.apache.org)

Read more

Leave a Reply

Powered By Anakyst UK Work done easy Discover Great Places People Websites in Nigeria. Be Discovered and Discover Great Places People Products & Websites in Nigeria. Tell us what you need to advertise online onradio ontv and where you want to advertise and discover talented publishers and advertisers within minutes for just a fraction of the cost!JobScout | Developed By Rara Theme. Powered by WordPress.