Apache patches Tomcat RCE vulnerability

The Apache Software Foundation has released new Apache Tomcat security updates to address a remote code execution (RCE) vulnerability.

A remote attacker could exploit the Apache Tomcat RCE vulnerability CVE-2019-0232 and take control of affected system if left unpatched.

Apache provided a brief description of the vulnerability in a recent security advisory:

“When running on Windows with enableCmdLineArguments enabled, the CGI Servlet is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disabled by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability).”

The vulnerability is rated Important and should be patched as soon as possible via any of the following mitigations:

  • Ensure the CGI Servlet initialisation parameter enableCmdLineArguments is set to false. See more info on GitHub
  • For versions Apache Tomcat 9.0.0.M1 to 9.0.17, upgrade to Apache Tomcat 9.0.18 or later when released.
  • For versions of Apache Tomcat 8.5.0 to 8.5.39, upgrade to Apache Tomcat 8.5.40 or later when released.
  • For versions of Apache Tomcat 7.0.0 to 7.0.93, upgrade to Apache Tomcat 7.0.93 or later when released.

See the full Apache security advisory for more details and related articles.