You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2019/04/10 11:02:52 UTC
svn commit: r1857239 - in /tomcat/site/trunk: docs/security-7.html
docs/security-8.html docs/security-9.html xdocs/security-7.xml
xdocs/security-8.xml xdocs/security-9.xml
Author: markt
Date: Wed Apr 10 11:02:51 2019
New Revision: 1857239
URL: http://svn.apache.org/viewvc?rev=1857239&view=rev
Log:
Add details of CVE-2019-0232
Modified:
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/docs/security-9.html
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/security-8.xml
tomcat/site/trunk/xdocs/security-9.xml
Modified: tomcat/site/trunk/docs/security-7.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1857239&r1=1857238&r2=1857239&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Wed Apr 10 11:02:51 2019
@@ -211,6 +211,9 @@
<a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_7.0.94">Fixed in Apache Tomcat 7.0.94</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_7.0.91">Fixed in Apache Tomcat 7.0.91</a>
</li>
<li>
@@ -394,6 +397,40 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_7.0.94">
+<span class="pull-right">not yet released</span> Fixed in Apache Tomcat 7.0.94</h3>
+<div class="text">
+
+
+<p>
+<strong>Important: Remote Code Execution on Windows</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232" rel="nofollow">CVE-2019-0232</a>
+</p>
+
+
+<p>When running on Windows with enableCmdLineArguments enabled, the CGI
+ Servlet is vulnerable to Remote Code Execution due to a bug in the way
+ the JRE passes command line arguments to Windows. The CGI Servlet is
+ disabled by default. For a detailed explanation of the JRE behaviour, see
+ <a href="https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html">Markus
+ Wulftange's blog</a> and this archived
+ <a href="https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/">MSDN
+ blog</a>.</p>
+
+
+<p>This was fixed with commit <a href="https://github.com/apache/tomcat/commit/7f0221b">7f0221b</a>.</p>
+
+
+<p>This issue was identified by an external security researcher and reported
+ to the Apache Tomcat security team via the bug bounty program sponsored
+ by the EU FOSSA-2 project on 3rd March 2019. The issue was made public on
+ 10 April 2019.</p>
+
+
+<p>Affects: 7.0.0 to 7.0.93</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_7.0.91">
<span class="pull-right">19 September 2018</span> Fixed in Apache Tomcat 7.0.91</h3>
<div class="text">
Modified: tomcat/site/trunk/docs/security-8.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1857239&r1=1857238&r2=1857239&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-8.html (original)
+++ tomcat/site/trunk/docs/security-8.html Wed Apr 10 11:02:51 2019
@@ -211,6 +211,9 @@
<a href="#Apache_Tomcat_8.x_vulnerabilities">Apache Tomcat 8.x vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_8.5.40">Fixed in Apache Tomcat 8.5.40</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_8.5.38">Fixed in Apache Tomcat 8.5.38</a>
</li>
<li>
@@ -373,6 +376,40 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_8.5.40">
+<span class="pull-right">not yet released</span> Fixed in Apache Tomcat 8.5.40</h3>
+<div class="text">
+
+
+<p>
+<strong>Important: Remote Code Execution on Windows</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232" rel="nofollow">CVE-2019-0232</a>
+</p>
+
+
+<p>When running on Windows with enableCmdLineArguments enabled, the CGI
+ Servlet is vulnerable to Remote Code Execution due to a bug in the way
+ the JRE passes command line arguments to Windows. The CGI Servlet is
+ disabled by default. For a detailed explanation of the JRE behaviour, see
+ <a href="https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html">Markus
+ Wulftange's blog</a> and this archived
+ <a href="https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/">MSDN
+ blog</a>.</p>
+
+
+<p>This was fixed with commit <a href="https://github.com/apache/tomcat/commit/5bc4e6d">5bc4e6d</a>.</p>
+
+
+<p>This issue was identified by an external security researcher and reported
+ to the Apache Tomcat security team via the bug bounty program sponsored
+ by the EU FOSSA-2 project on 3rd March 2019. The issue was made public on
+ 10 April 2019.</p>
+
+
+<p>Affects: 8.5.0 to 8.5.39</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_8.5.38">
<span class="pull-right">8 February 2019</span> Fixed in Apache Tomcat 8.5.38</h3>
<div class="text">
Modified: tomcat/site/trunk/docs/security-9.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1857239&r1=1857238&r2=1857239&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-9.html (original)
+++ tomcat/site/trunk/docs/security-9.html Wed Apr 10 11:02:51 2019
@@ -211,6 +211,9 @@
<a href="#Apache_Tomcat_9.x_vulnerabilities">Apache Tomcat 9.x vulnerabilities</a>
</li>
<li>
+<a href="#Fixed_in_Apache_Tomcat_9.0.18">Fixed in Apache Tomcat 9.0.18</a>
+</li>
+<li>
<a href="#Fixed_in_Apache_Tomcat_9.0.16">Fixed in Apache Tomcat 9.0.16</a>
</li>
<li>
@@ -313,6 +316,42 @@
</div>
+<h3 id="Fixed_in_Apache_Tomcat_9.0.18">
+<span class="pull-right">not yet released</span> Fixed in Apache Tomcat 9.0.18</h3>
+<div class="text">
+
+
+<p>
+<strong>Important: Remote Code Execution on Windows</strong>
+ <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232" rel="nofollow">CVE-2019-0232</a>
+</p>
+
+
+<p>When running on Windows with enableCmdLineArguments enabled, the CGI
+ Servlet is vulnerable to Remote Code Execution due to a bug in the way
+ the JRE passes command line arguments to Windows. The CGI Servlet is
+ disabled by default. The CGI option enableCmdLineArguments is disabled by
+ default in Tomcat 9.0.x. For a detailed explanation of the JRE behaviour,
+ see
+ <a href="https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html">Markus
+ Wulftange's blog</a> and this archived
+ <a href="https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/">MSDN
+ blog</a>.</p>
+
+
+<p>This was fixed with commit <a href="https://github.com/apache/tomcat/commit/4b244d8">4b244d8</a>.</p>
+
+
+<p>This issue was identified by an external security researcher and reported
+ to the Apache Tomcat security team via the bug bounty program sponsored
+ by the EU FOSSA-2 project on 3rd March 2019. The issue was made public on
+ 10 April 2019.</p>
+
+
+<p>Affects: 9.0.0.M1 to 9.0.17</p>
+
+
+</div>
<h3 id="Fixed_in_Apache_Tomcat_9.0.16">
<span class="pull-right">8 February 2019</span> Fixed in Apache Tomcat 9.0.16</h3>
<div class="text">
Modified: tomcat/site/trunk/xdocs/security-7.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1857239&r1=1857238&r2=1857239&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-7.xml (original)
+++ tomcat/site/trunk/xdocs/security-7.xml Wed Apr 10 11:02:51 2019
@@ -50,6 +50,31 @@
</section>
+ <section name="Fixed in Apache Tomcat 7.0.94" rtext="not yet released">
+
+ <p><strong>Important: Remote Code Execution on Windows</strong>
+ <cve>CVE-2019-0232</cve></p>
+
+ <p>When running on Windows with enableCmdLineArguments enabled, the CGI
+ Servlet is vulnerable to Remote Code Execution due to a bug in the way
+ the JRE passes command line arguments to Windows. The CGI Servlet is
+ disabled by default. For a detailed explanation of the JRE behaviour, see
+ <a href="https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html">Markus
+ Wulftange's blog</a> and this archived
+ <a href="https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/">MSDN
+ blog</a>.</p>
+
+ <p>This was fixed with commit <hashlink hash="7f0221b">7f0221b</hashlink>.</p>
+
+ <p>This issue was identified by an external security researcher and reported
+ to the Apache Tomcat security team via the bug bounty program sponsored
+ by the EU FOSSA-2 project on 3rd March 2019. The issue was made public on
+ 10 April 2019.</p>
+
+ <p>Affects: 7.0.0 to 7.0.93</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 7.0.91" rtext="19 September 2018">
<p><strong>Moderate: Open Redirect</strong>
Modified: tomcat/site/trunk/xdocs/security-8.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1857239&r1=1857238&r2=1857239&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-8.xml (original)
+++ tomcat/site/trunk/xdocs/security-8.xml Wed Apr 10 11:02:51 2019
@@ -50,6 +50,31 @@
</section>
+ <section name="Fixed in Apache Tomcat 8.5.40" rtext="not yet released">
+
+ <p><strong>Important: Remote Code Execution on Windows</strong>
+ <cve>CVE-2019-0232</cve></p>
+
+ <p>When running on Windows with enableCmdLineArguments enabled, the CGI
+ Servlet is vulnerable to Remote Code Execution due to a bug in the way
+ the JRE passes command line arguments to Windows. The CGI Servlet is
+ disabled by default. For a detailed explanation of the JRE behaviour, see
+ <a href="https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html">Markus
+ Wulftange's blog</a> and this archived
+ <a href="https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/">MSDN
+ blog</a>.</p>
+
+ <p>This was fixed with commit <hashlink hash="5bc4e6d">5bc4e6d</hashlink>.</p>
+
+ <p>This issue was identified by an external security researcher and reported
+ to the Apache Tomcat security team via the bug bounty program sponsored
+ by the EU FOSSA-2 project on 3rd March 2019. The issue was made public on
+ 10 April 2019.</p>
+
+ <p>Affects: 8.5.0 to 8.5.39</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 8.5.38" rtext="8 February 2019">
<p><strong>Important: Denial of Service</strong>
Modified: tomcat/site/trunk/xdocs/security-9.xml
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1857239&r1=1857238&r2=1857239&view=diff
==============================================================================
--- tomcat/site/trunk/xdocs/security-9.xml (original)
+++ tomcat/site/trunk/xdocs/security-9.xml Wed Apr 10 11:02:51 2019
@@ -50,6 +50,33 @@
</section>
+ <section name="Fixed in Apache Tomcat 9.0.18" rtext="not yet released">
+
+ <p><strong>Important: Remote Code Execution on Windows</strong>
+ <cve>CVE-2019-0232</cve></p>
+
+ <p>When running on Windows with enableCmdLineArguments enabled, the CGI
+ Servlet is vulnerable to Remote Code Execution due to a bug in the way
+ the JRE passes command line arguments to Windows. The CGI Servlet is
+ disabled by default. The CGI option enableCmdLineArguments is disabled by
+ default in Tomcat 9.0.x. For a detailed explanation of the JRE behaviour,
+ see
+ <a href="https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html">Markus
+ Wulftange's blog</a> and this archived
+ <a href="https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/">MSDN
+ blog</a>.</p>
+
+ <p>This was fixed with commit <hashlink hash="4b244d8">4b244d8</hashlink>.</p>
+
+ <p>This issue was identified by an external security researcher and reported
+ to the Apache Tomcat security team via the bug bounty program sponsored
+ by the EU FOSSA-2 project on 3rd March 2019. The issue was made public on
+ 10 April 2019.</p>
+
+ <p>Affects: 9.0.0.M1 to 9.0.17</p>
+
+ </section>
+
<section name="Fixed in Apache Tomcat 9.0.16" rtext="8 February 2019">
<p><i>Note: The issue below was fixed in Apache Tomcat 9.0.15 but the
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org