CVE-2019-0232

Publication date 15 April 2019

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

8.1 · High

Score breakdown

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

Read the notes from the security team

Status

Package Ubuntu Release Status
tomcat7 18.10 cosmic
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected
tomcat8 18.10 cosmic
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty Not in release
tomcat9 18.10 cosmic
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial Not in release
14.04 LTS trusty Not in release

Notes


leosilva

marking as low since it is a windows specific vulnerability

Severity score breakdown

Parameter Value
Base score 8.1 · High
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H