CVE-2019-0232: Apache Tomcat Remote Code Execution Vulnerability Alert

by · Published · Updated

On April 10, Apache officially announced that it will fix a remote code execution vulnerability (CVE-2019-0232) in the latest version. When running on Windows with enableCmdLineArguments enabled, CGI Servlets are vulnerable to remote code execution due to errors in the way JRE passes command-line arguments to Windows. The CGI Servlet is turned off by default.

Apache Tomcat 8

Affected version

  • Apache Tomcat 9.0.0.M1 to 9.0.17
  • Apache Tomcat 8.5.0 to 8.5.39
  • Apache Tomcat 7.0.0 to 7.0.93

Unaffected version

  • Apache Tomcat 9.0.18
  • Apache Tomcat 8.5.40
  • Apache Tomcat 7.0.94

Solution

The Apache officially released the latest version to fix this vulnerability. The affected users should upgrade it as soon as possible after the official update.

Tags: