The Apache Software Foundation (ASF) has released new versions of its Tomcat application server to address an important security vulnerability that could allow a remote attacker to execute malicious code and take control of an affected server. Developed by ASF, Apache Tomcat is an open source web server and servlet system, which uses several Java EE specifications such as Java Servlet, JavaServer Pages (JSP), Expression Language, and WebSocket to provide a “pure Java” HTTP web server environment for Java concept to run in. The remote code execution vulnerability (CVE-2019-0232) resides in the Common Gateway Interface (CGI) Servlet when running on Windows with enableCmdLineArguments enabled and occurs due to a bug in the way the Java Runtime Environment (JRE) passes command line arguments to Windows. Since the CGI Servlet is disabled by default and its option enableCmdLineArguments is disabled by default in Tomcat 9.0.x, the remote code execution vulnerability has been rated as important and not critical. In response to this vulnerability, the CGI Servlet enableCmdLineArguments option will now be disabled by default in all versions of Apache Tomcat. Affected Tomcat Versions Apache Tomcat 9.0.0.M1 to 9.0.17 Apache Tomcat 8.5.0 to 8.5.39 Apache Tomcat 7.0.0 to 7.0.93 Unaffected Tomcat Versions Apache Tomcat 9.0.18 and later Apache Tomcat 8.5.40 and later Apache Tomcat 7.0.94 and later Successful exploitation of this vulnerability could allow a remote attacker to execute an arbitrary command on a targeted Windows server running an affected version of Apache Tomcat, resulting in a full compromise. The vulnerability was reported to the Apache Tomcat security team by a security researcher (not named by the Apache Software Foundation) on 3rd March 2019 and was made public on 10 April 2019 after the ASF released the updated versions. This Apache vulnerability has been addressed with the release of Tomcat version 9.0.19 (though the issue was fixed in Apache Tomcat 9.0.18, the release vote for the 9.0.18 release did not pass), version 8.5.40 and version 7.0.93. So, administrators are strongly recommended to apply the software updates as soon as possible. If you are unable to apply the patches immediately, you should ensure the CGI Servlet initialisation parameter's default enableCmdLineArguments value is set to false.
http://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png 0 0 govanguard http://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2019-04-15 03:56:002019-04-15 03:56:00Apache Tomcat Patches Important Remote Code Execution Flaw
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email email@example.com