{ "threat_severity" : "Important", "public_date" : "2019-04-10T00:00:00Z", "bugzilla" : { "description" : "tomcat: Remote Code Execution on Windows", "id" : "1701056", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1701056" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).", "A flaw was discovered in Apache Tomcat, where a Java Runtime Environment can pass a command-line argument in the Windows operating system. The execution of arbitrary commands via Tomcat’s Common Gateway Interface (CGI) Servlet, allows an attacker to perform remote code execution." ], "statement" : "This vulnerability is specific to the Windows platform's treatment of file names and how they must be quoted. Tomcat running on Linux hosts is not affected.", "affected_release" : [ { "product_name" : "Red Hat JBoss Web Server 3.1", "release_date" : "2019-07-09T00:00:00Z", "advisory" : "RHSA-2019:1712", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1", "package" : "tomcat7" }, { "product_name" : "Red Hat JBoss Web Server 3.1", "release_date" : "2019-07-09T00:00:00Z", "advisory" : "RHSA-2019:1712", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1", "package" : "tomcat8" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package" : "jws5-ecj-0:4.12.0-1.redhat_1.1.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package" : "jws5-javapackages-tools-0:3.4.1-5.15.11.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package" : "jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package" : "jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package" : "jws5-tomcat-0:9.0.21-10.redhat_4.1.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package" : "jws5-tomcat-native-0:1.2.21-34.redhat_34.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 6", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el6", "package" : "jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package" : "jws5-ecj-0:4.12.0-1.redhat_1.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package" : "jws5-javapackages-tools-0:3.4.1-5.15.11.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package" : "jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package" : "jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package" : "jws5-tomcat-0:9.0.21-10.redhat_4.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package" : "jws5-tomcat-native-0:1.2.21-34.redhat_34.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 7", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el7", "package" : "jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package" : "jws5-ecj-0:4.12.0-1.redhat_1.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package" : "jws5-javapackages-tools-0:3.4.1-5.15.11.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package" : "jws5-jboss-logging-0:3.3.2-1.Final_redhat_00001.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package" : "jws5-mod_cluster-0:1.4.1-1.Final_redhat_00001.2.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package" : "jws5-tomcat-0:9.0.21-10.redhat_4.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package" : "jws5-tomcat-native-0:1.2.21-34.redhat_34.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.2 on RHEL 8", "release_date" : "2019-11-20T00:00:00Z", "advisory" : "RHSA-2019:3929", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.2::el8", "package" : "jws5-tomcat-vault-0:1.1.8-1.Final_redhat_1.1.el8jws" } ], "package_state" : [ { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "tomcat6", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "pki-deps:10.6/pki-servlet-container", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss BRMS 5", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5" }, { "product_name" : "Red Hat JBoss BRMS 6", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6" }, { "product_name" : "Red Hat JBoss Data Grid 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_grid:6" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Will not fix", "package_name" : "tomcat6", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Will not fix", "package_name" : "tomcat7", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat JBoss SOA Platform 5", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-java-common-tomcat", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-0232\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-0232" ], "name" : "CVE-2019-0232", "csaw" : false }