New versions of Tomcat 7x, 8x and 9x have been issued to fix a vulnerability when running Tomcat on a Microsoft Windows based system. The vulnerability is related to the challenging way. Windows and Java interact to process and parse command line arguments. The result is a remote code execution vulnerability in the CGI Servlet.
The CGI Servlet is disabled by default, but if it has been enabled along with the configuration option enableCmdLineArguments then the installation is vulnerable to the exploit recorded as CVE-2019-0232. enableCmdLineArguments is enabled by default in Tomcat 7x and 8x but disabled by default in 9x. All future versions of Tomcat will have this option disabled by default across all three product streams, says Apache in the security advisory.
To mitigate this vulnerability Apache Software Foundation offers this advice:
Users of affected versions should apply one of the following mitigations:
– Ensure the CGI Servlet initialisation parameter enableCmdLineArguments
is set to false
– Upgrade to Apache Tomcat 9.0.18 or later when released
– Upgrade to Apache Tomcat 8.5.40 or later when released
– Upgrade to Apache Tomcat 7.0.93 or later when released
This vulnerability underlines the need for Systems Administrators to review the configuration of middleware and infrastructure software such as Tomcat to check that optional features are disabled by default to minimise the attack surface and only enabled when truly required.
Regular automated vulnerability scans run inside and outside of your firewalls will help identify software features that are enabled which expose your network to known vulnerabilities.
Interested software developers can read this archived MSDN article which explores the problem of parsing command line arguments in Windows – and how to do it safely.