On April 10, Apache officially announced that it will fix a remote code execution vulnerability (CVE-2019-0232) in the latest version. When running on Windows with enableCmdLineArguments enabled, CGI Servlets are vulnerable to remote code execution due to errors in the way JRE passes command-line arguments to Windows. The CGI Servlet is turned off by default.
- Apache Tomcat 9.0.0.M1 to 9.0.17
- Apache Tomcat 8.5.0 to 8.5.39
- Apache Tomcat 7.0.0 to 7.0.93
- Apache Tomcat 9.0.18
- Apache Tomcat 8.5.40
- Apache Tomcat 7.0.94
The Apache officially released the latest version to fix this vulnerability. The affected users should upgrade it as soon as possible after the official update.