You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@ofbiz.apache.org by "Jacques Le Roux (JIRA)" <ji...@apache.org> on 2019/04/14 14:31:00 UTC

[jira] [Commented] (OFBIZ-10920) Update Tomcat to 9.0.18 due to CVE-2019-0232

    [ https://issues.apache.org/jira/browse/OFBIZ-10920?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16817316#comment-16817316 ] 

Jacques Le Roux commented on OFBIZ-10920:
-----------------------------------------

Oops, I had it pending in R16 and did not notice it was committed with r1857395 backporting for OFBIZ-10837. Just realised it now that Tomcat 8.5.40 was officially announced. I was just lucky it was already available on jcenter :)

> Update Tomcat to 9.0.18 due to CVE-2019-0232 
> ---------------------------------------------
>
>                 Key: OFBIZ-10920
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-10920
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Trunk, Release Branch 17.12, Release Branch 18.12
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Major
>
> CVE-2019-0232 Apache Tomcat Remote Code Execution on Windows
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.17
> Apache Tomcat 8.5.0 to 8.5.39
> Apache Tomcat 7.0.0 to 7.0.93
> Description:
> When running on Windows with enableCmdLineArguments enabled, the CGI
> Servlet is vulnerable to Remote Code Execution due to a bug in the way
> the JRE passes command line arguments to Windows. The CGI Servlet is
> disabled by default. The CGI option enableCmdLineArguments is disabled
> by default in Tomcat 9.0.x (and will be disabled by default in all
> versions in response to this vulnerability). For a detailed explanation
> of the JRE behaviour, see Markus Wulftange's blog [1] and this archived
> MSDN blog [2].
> Mitigation:
> Users of affected versions should apply one of the following mitigations:
> - Ensure the CGI Servlet initialisation parameter enableCmdLineArguments
>     is set to false
> - Upgrade to Apache Tomcat 9.0.18 or later when released
> - Upgrade to Apache Tomcat 8.5.40 or later when released
> - Upgrade to Apache Tomcat 7.0.93 or later when released
> This announcement is being made before the releases are available as the
> change to fix this issue is obviously security related.
> Credit:
> This issue was identified by an external security researcher and
> reported to the Apache Tomcat security team via the bug bounty program
> sponsored by the EU FOSSA-2 project.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)