Vulnerability Name:

CVE-2019-0232 (CCN-159398)

Assigned:2018-11-14
Published:2019-04-10
Updated:2021-06-14
Summary:When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
CVSS v3 Severity:8.1 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
7.5 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
9.8 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
9.1 Critical (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:9.3 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
10.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-78
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2019-0232

Source: CCN
Type: Apache mailing list archives, Wed, 10 Apr 2019 11:03:48 GMT
[SECURITY] CVE-2019-0232 Apache Tomcat Remote Code Execution on Windows

Source: MISC
Type: UNKNOWN
http://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html

Source: FULLDISC
Type: UNKNOWN
20190504 RCE in CGI Servlet - Apache Tomcat on Windows - CVE-2019-0232

Source: CCN
Type: Apache Web site
Tomcat

Source: CCN
Type: Oracle CPUJul2019
Oracle Critical Patch Update Advisory - July 2019

Source: CCN
Type: Oracle CPUOct2019
Oracle Critical Patch Update Advisory - October 2019

Source: BID
Type: Third Party Advisory, VDB Entry
107906

Source: REDHAT
Type: UNKNOWN
RHSA-2019:1712

Source: MISC
Type: UNKNOWN
https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/

Source: MISC
Type: Third Party Advisory
https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html

Source: XF
Type: UNKNOWN
apache-cve20190232-code-exec(159398)

Source: MLIST
Type: Mailing List, Vendor Advisory
[tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/

Source: MLIST
Type: Mailing List, Vendor Advisory
[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/

Source: MLIST
Type: Mailing List, Mitigation, Vendor Advisory
[ofbiz-commits] 20190415 svn commit: r1857588 - in /ofbiz: ofbiz-framework/branches/release17.12/build.gradle ofbiz-plugins/branches/release17.12/example/build.gradle

Source: MLIST
Type: Mailing List, Mitigation, Vendor Advisory
[tomcat-users] 20190410 [SECURITY] CVE-2019-0232 Apache Tomcat Remote Code Execution on Windows

Source: MLIST
Type: Mailing List, Mitigation, Vendor Advisory
[ofbiz-commits] 20190415 svn commit: r1857587 - in /ofbiz: ofbiz-framework/branches/release18.12/build.gradle ofbiz-plugins/branches/release18.12/example/build.gradle

Source: MLIST
Type: Mailing List, Vendor Advisory
[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/

Source: MLIST
Type: Mailing List, Vendor Advisory
[ofbiz-notifications] 20190415 [jira] [Closed] (OFBIZ-10920) Update Tomcat to 9.0.18 due to CVE-2019-0232

Source: MLIST
Type: Mailing List, Mitigation, Vendor Advisory
[ofbiz-commits] 20190415 svn commit: r1857586 - in /ofbiz: ofbiz-framework/trunk/build.gradle ofbiz-plugins/trunk/example/build.gradle

Source: MLIST
Type: Mailing List, Vendor Advisory
[ofbiz-notifications] 20190415 [jira] [Commented] (OFBIZ-10920) Update Tomcat to 9.0.18 due to CVE-2019-0232

Source: MLIST
Type: Mailing List, Vendor Advisory
[tomcat-dev] 20190421 svn commit: r1857901 - in /tomcat/site/trunk: docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-7.xml xdocs/security-8.xml xdocs/security-9.xml

Source: MLIST
Type: UNKNOWN
[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/

Source: MLIST
Type: UNKNOWN
[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/

Source: MLIST
Type: UNKNOWN
[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/

Source: MLIST
Type: UNKNOWN
[announce] 20200131 Apache Software Foundation Security Report: 2019

Source: MLIST
Type: UNKNOWN
[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/

Source: MLIST
Type: UNKNOWN
[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/

Source: CCN
Type: Packet Storm Security [07-02-2019]
Apache Tomcat CGIServlet enableCmdLineArguments Remote Code Execution

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20190419-0001/

Source: MISC
Type: Third Party Advisory
https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/

Source: CONFIRM
Type: Technical Description
https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-784

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [07-03-2019]

Source: CCN
Type: IBM Security Bulletin 3011649 (Resilient)
Resilient is vulnerable to Using Components with Known Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6320835 (Security Guardium Data Encryption)
Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)

Source: N/A
Type: UNKNOWN
N/A

Source: MISC
Type: UNKNOWN
https://www.oracle.com/security-alerts/cpuApr2021.html

Source: CCN
Type: Oracle CPUJan2020
Oracle Critical Patch Update Advisory - January 2020

Source: MISC
Type: UNKNOWN
https://www.oracle.com/security-alerts/cpujan2020.html

Source: MISC
Type: UNKNOWN
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Source: MISC
Type: UNKNOWN
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Source: CONFIRM
Type: UNKNOWN
https://www.synology.com/security/advisory/Synology_SA_19_17

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-0232

Source: MISC
Type: UNKNOWN
https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:tomcat:*:*:*:*:*:*:*:* (Version >= 7.0.0 and <= 7.0.93)
  • OR cpe:/a:apache:tomcat:9.0.0:m1:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m16:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m17:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m25:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m24:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m23:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m8:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m9:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m10:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m11:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m18:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m15:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m12:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m21:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m19:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m3:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m13:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m7:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m6:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m2:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m20:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m5:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m14:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m4:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m22:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m26:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:*:*:*:*:*:*:*:* (Version >= 9.0.1 and <= 9.0.17)
  • OR cpe:/a:apache:tomcat:*:*:*:*:*:*:*:* (Version >= 8.5.0 and <= 8.5.39)
  • AND
  • cpe:/o:microsoft:windows:-:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:8.5.0:*:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.0:m1:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:9.0.17:*:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:8.5.39:*:*:*:*:*:*:*
  • OR cpe:/a:apache:tomcat:7.0.93:*:*:*:*:*:*:*
  • AND
  • cpe:/a:oracle:agile_engineering_data_management:6.2.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_order_broker_cloud_service:5.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:retail_order_broker_cloud_service:15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:transportation_management:6.3.7:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:agile_plm_framework:9.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:micros_relate_crm_software:11.4:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:agile_engineering_data_management:6.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium_data_encryption:3.0.0.2:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.cosmic:def:20190232000
    V
    CVE-2019-0232 on Ubuntu 18.10 (cosmic) - low.
    2019-04-15
    oval:com.ubuntu.cosmic:def:201902320000000
    V
    CVE-2019-0232 on Ubuntu 18.10 (cosmic) - low.
    2019-04-15
    oval:com.ubuntu.bionic:def:20190232000
    V
    CVE-2019-0232 on Ubuntu 18.04 LTS (bionic) - low.
    2019-04-15
    oval:com.ubuntu.bionic:def:201902320000000
    V
    CVE-2019-0232 on Ubuntu 18.04 LTS (bionic) - low.
    2019-04-15
    oval:com.ubuntu.trusty:def:20190232000
    V
    CVE-2019-0232 on Ubuntu 14.04 LTS (trusty) - low.
    2019-04-15
    oval:com.ubuntu.xenial:def:201902320000000
    V
    CVE-2019-0232 on Ubuntu 16.04 LTS (xenial) - low.
    2019-04-15
    oval:com.ubuntu.xenial:def:20190232000
    V
    CVE-2019-0232 on Ubuntu 16.04 LTS (xenial) - low.
    2019-04-15
    BACK
    apache tomcat *
    apache tomcat 9.0.0 m1
    apache tomcat 9.0.0 m16
    apache tomcat 9.0.0 m17
    apache tomcat 9.0.0 m25
    apache tomcat 9.0.0 m24
    apache tomcat 9.0.0 m23
    apache tomcat 9.0.0 m8
    apache tomcat 9.0.0 m9
    apache tomcat 9.0.0 m10
    apache tomcat 9.0.0 m11
    apache tomcat 9.0.0 m18
    apache tomcat 9.0.0 m15
    apache tomcat 9.0.0 m12
    apache tomcat 9.0.0 m21
    apache tomcat 9.0.0 m19
    apache tomcat 9.0.0 m3
    apache tomcat 9.0.0 m13
    apache tomcat 9.0.0 m7
    apache tomcat 9.0.0 m6
    apache tomcat 9.0.0 m2
    apache tomcat 9.0.0 m20
    apache tomcat 9.0.0 m5
    apache tomcat 9.0.0 m14
    apache tomcat 9.0.0 m4
    apache tomcat 9.0.0 m22
    apache tomcat 9.0.0 m26
    apache tomcat *
    apache tomcat *
    microsoft windows -
    apache tomcat 7.0.0
    apache tomcat 8.5.0
    apache tomcat 9.0.0 m1
    apache tomcat 9.0.17
    apache tomcat 8.5.39
    apache tomcat 7.0.93
    oracle agile engineering data management 6.2.0.0
    oracle retail order broker cloud service 5.2
    oracle retail order broker cloud service 15.0
    oracle transportation management 6.3.7
    oracle agile plm framework 9.3.6
    oracle micros relate crm software 11.4
    oracle agile engineering data management 6.2.1
    oracle instantis enterprisetrack 17.1
    oracle instantis enterprisetrack 17.2
    oracle instantis enterprisetrack 17.3
    ibm security guardium data encryption 3.0.0.2