Vulnerability Name: CVE-2019-0232 (CCN-159398) Assigned: 2018-11-14 Published: 2019-04-10 Updated: 2021-06-14 Summary: When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/). CVSS v3 Severity: 8.1 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H )7.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): HighPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H )9.1 Critical (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): LowPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): HighIntegrity (I): HighAvailibility (A): High
CVSS v2 Severity: 9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): LowAthentication (Au): NoneImpact Metrics: Confidentiality (C): CompleteIntegrity (I): CompleteAvailibility (A): Complete
Vulnerability Type: CWE-78 Vulnerability Consequences: Gain Access References: Source: MITRE Type: CNACVE-2019-0232 Source: CCN Type: Apache mailing list archives, Wed, 10 Apr 2019 11:03:48 GMT[SECURITY] CVE-2019-0232 Apache Tomcat Remote Code Execution on Windows Source: MISC Type: UNKNOWNhttp://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html Source: FULLDISC Type: UNKNOWN20190504 RCE in CGI Servlet - Apache Tomcat on Windows - CVE-2019-0232 Source: CCN Type: Apache Web siteTomcat Source: CCN Type: Oracle CPUJul2019Oracle Critical Patch Update Advisory - July 2019 Source: CCN Type: Oracle CPUOct2019Oracle Critical Patch Update Advisory - October 2019 Source: BID Type: Third Party Advisory, VDB Entry107906 Source: REDHAT Type: UNKNOWNRHSA-2019:1712 Source: MISC Type: UNKNOWNhttps://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/ Source: MISC Type: Third Party Advisoryhttps://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html Source: XF Type: UNKNOWNapache-cve20190232-code-exec(159398) Source: MLIST Type: Mailing List, Vendor Advisory[tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ Source: MLIST Type: Mailing List, Vendor Advisory[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ Source: MLIST Type: Mailing List, Mitigation, Vendor Advisory[ofbiz-commits] 20190415 svn commit: r1857588 - in /ofbiz: ofbiz-framework/branches/release17.12/build.gradle ofbiz-plugins/branches/release17.12/example/build.gradle Source: MLIST Type: Mailing List, Mitigation, Vendor Advisory[tomcat-users] 20190410 [SECURITY] CVE-2019-0232 Apache Tomcat Remote Code Execution on Windows Source: MLIST Type: Mailing List, Mitigation, Vendor Advisory[ofbiz-commits] 20190415 svn commit: r1857587 - in /ofbiz: ofbiz-framework/branches/release18.12/build.gradle ofbiz-plugins/branches/release18.12/example/build.gradle Source: MLIST Type: Mailing List, Vendor Advisory[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ Source: MLIST Type: Mailing List, Vendor Advisory[ofbiz-notifications] 20190415 [jira] [Closed] (OFBIZ-10920) Update Tomcat to 9.0.18 due to CVE-2019-0232 Source: MLIST Type: Mailing List, Mitigation, Vendor Advisory[ofbiz-commits] 20190415 svn commit: r1857586 - in /ofbiz: ofbiz-framework/trunk/build.gradle ofbiz-plugins/trunk/example/build.gradle Source: MLIST Type: Mailing List, Vendor Advisory[ofbiz-notifications] 20190415 [jira] [Commented] (OFBIZ-10920) Update Tomcat to 9.0.18 due to CVE-2019-0232 Source: MLIST Type: Mailing List, Vendor Advisory[tomcat-dev] 20190421 svn commit: r1857901 - in /tomcat/site/trunk: docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml Source: MLIST Type: UNKNOWN[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/ Source: MLIST Type: UNKNOWN[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/ Source: MLIST Type: UNKNOWN[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/ Source: MLIST Type: UNKNOWN[announce] 20200131 Apache Software Foundation Security Report: 2019 Source: MLIST Type: UNKNOWN[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/ Source: MLIST Type: UNKNOWN[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/ Source: CCN Type: Packet Storm Security [07-02-2019]Apache Tomcat CGIServlet enableCmdLineArguments Remote Code Execution Source: CONFIRM Type: Third Party Advisoryhttps://security.netapp.com/advisory/ntap-20190419-0001/ Source: MISC Type: Third Party Advisoryhttps://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/ Source: CONFIRM Type: Technical Descriptionhttps://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-784 Source: EXPLOIT-DB Type: EXPLOITOffensive Security Exploit Database [07-03-2019] Source: CCN Type: IBM Security Bulletin 3011649 (Resilient)Resilient is vulnerable to Using Components with Known Vulnerabilities Source: CCN Type: IBM Security Bulletin 6320835 (Security Guardium Data Encryption)Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE) Source: N/A Type: UNKNOWNN/A Source: MISC Type: UNKNOWNhttps://www.oracle.com/security-alerts/cpuApr2021.html Source: CCN Type: Oracle CPUJan2020Oracle Critical Patch Update Advisory - January 2020 Source: MISC Type: UNKNOWNhttps://www.oracle.com/security-alerts/cpujan2020.html Source: MISC Type: UNKNOWNhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html Source: MISC Type: UNKNOWNhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Source: CONFIRM Type: UNKNOWNhttps://www.synology.com/security/advisory/Synology_SA_19_17 Source: CCN Type: WhiteSource Vulnerability DatabaseCVE-2019-0232 Source: MISC Type: UNKNOWNhttps://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/ Vulnerable Configuration: Configuration 1 :cpe:/a:apache:tomcat:*:*:*:*:*:*:*:* (Version >= 7.0.0 and <= 7.0.93)OR cpe:/a:apache:tomcat:9.0.0:m1:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m16:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m17:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m25:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m24:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m23:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m8:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m9:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m10:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m11:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m18:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m15:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m12:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m21:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m19:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m3:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m13:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m7:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m6:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m2:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m20:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m5:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m14:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m4:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m22:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m26:*:*:*:*:*:* OR cpe:/a:apache:tomcat:*:*:*:*:*:*:*:* (Version >= 9.0.1 and <= 9.0.17) OR cpe:/a:apache:tomcat:*:*:*:*:*:*:*:* (Version >= 8.5.0 and <= 8.5.39) AND cpe:/o:microsoft:windows:-:*:*:*:*:*:*:* Configuration CCN 1 :cpe:/a:apache:tomcat:7.0.0:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:8.5.0:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.0:m1:*:*:*:*:*:* OR cpe:/a:apache:tomcat:9.0.17:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:8.5.39:*:*:*:*:*:*:* OR cpe:/a:apache:tomcat:7.0.93:*:*:*:*:*:*:* AND cpe:/a:oracle:agile_engineering_data_management:6.2.0.0:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_order_broker_cloud_service:5.2:*:*:*:*:*:*:* OR cpe:/a:oracle:retail_order_broker_cloud_service:15.0:*:*:*:*:*:*:* OR cpe:/a:oracle:transportation_management:6.3.7:*:*:*:*:*:*:* OR cpe:/a:oracle:agile_plm_framework:9.3.6:*:*:*:*:*:*:* OR cpe:/a:oracle:micros_relate_crm_software:11.4:*:*:*:*:*:*:* OR cpe:/a:oracle:agile_engineering_data_management:6.2.1:*:*:*:*:*:*:* OR cpe:/a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:* OR cpe:/a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:* OR cpe:/a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:* OR cpe:/a:ibm:security_guardium_data_encryption:3.0.0.2:*:*:*:*:*:*:* Denotes that component is vulnerable Oval Definitions BACK
apache tomcat *
apache tomcat 9.0.0 m1
apache tomcat 9.0.0 m16
apache tomcat 9.0.0 m17
apache tomcat 9.0.0 m25
apache tomcat 9.0.0 m24
apache tomcat 9.0.0 m23
apache tomcat 9.0.0 m8
apache tomcat 9.0.0 m9
apache tomcat 9.0.0 m10
apache tomcat 9.0.0 m11
apache tomcat 9.0.0 m18
apache tomcat 9.0.0 m15
apache tomcat 9.0.0 m12
apache tomcat 9.0.0 m21
apache tomcat 9.0.0 m19
apache tomcat 9.0.0 m3
apache tomcat 9.0.0 m13
apache tomcat 9.0.0 m7
apache tomcat 9.0.0 m6
apache tomcat 9.0.0 m2
apache tomcat 9.0.0 m20
apache tomcat 9.0.0 m5
apache tomcat 9.0.0 m14
apache tomcat 9.0.0 m4
apache tomcat 9.0.0 m22
apache tomcat 9.0.0 m26
apache tomcat *
apache tomcat *
microsoft windows -
apache tomcat 7.0.0
apache tomcat 8.5.0
apache tomcat 9.0.0 m1
apache tomcat 9.0.17
apache tomcat 8.5.39
apache tomcat 7.0.93
oracle agile engineering data management 6.2.0.0
oracle retail order broker cloud service 5.2
oracle retail order broker cloud service 15.0
oracle transportation management 6.3.7
oracle agile plm framework 9.3.6
oracle micros relate crm software 11.4
oracle agile engineering data management 6.2.1
oracle instantis enterprisetrack 17.1
oracle instantis enterprisetrack 17.2
oracle instantis enterprisetrack 17.3
ibm security guardium data encryption 3.0.0.2