You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2019/04/14 14:31:00 UTC
[jira] [Updated] (OFBIZ-10920) Update Tomcat to 9.0.18 due to
CVE-2019-0232
[ https://issues.apache.org/jira/browse/OFBIZ-10920?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jacques Le Roux updated OFBIZ-10920:
------------------------------------
Fix Version/s: 16.11.06
> Update Tomcat to 9.0.18 due to CVE-2019-0232
> ---------------------------------------------
>
> Key: OFBIZ-10920
> URL: https://issues.apache.org/jira/browse/OFBIZ-10920
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Major
> Fix For: 16.11.06
>
>
> CVE-2019-0232 Apache Tomcat Remote Code Execution on Windows
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.17
> Apache Tomcat 8.5.0 to 8.5.39
> Apache Tomcat 7.0.0 to 7.0.93
> Description:
> When running on Windows with enableCmdLineArguments enabled, the CGI
> Servlet is vulnerable to Remote Code Execution due to a bug in the way
> the JRE passes command line arguments to Windows. The CGI Servlet is
> disabled by default. The CGI option enableCmdLineArguments is disabled
> by default in Tomcat 9.0.x (and will be disabled by default in all
> versions in response to this vulnerability). For a detailed explanation
> of the JRE behaviour, see Markus Wulftange's blog [1] and this archived
> MSDN blog [2].
> Mitigation:
> Users of affected versions should apply one of the following mitigations:
> - Ensure the CGI Servlet initialisation parameter enableCmdLineArguments
> is set to false
> - Upgrade to Apache Tomcat 9.0.18 or later when released
> - Upgrade to Apache Tomcat 8.5.40 or later when released
> - Upgrade to Apache Tomcat 7.0.93 or later when released
> This announcement is being made before the releases are available as the
> change to fix this issue is obviously security related.
> Credit:
> This issue was identified by an external security researcher and
> reported to the Apache Tomcat security team via the bug bounty program
> sponsored by the EU FOSSA-2 project.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)