CVE-2019-0232
Remote Code Execution vulnerability in org.apache.tomcat.embed:tomcat-embed-core

What is CVE-2019-0232 About?

This vulnerability is a Remote Code Execution flaw in the CGI Servlet of Apache Tomcat on Windows systems, stemming from a bug in how the JRE handles command line arguments. Successful exploitation can lead to arbitrary code execution on the affected server. While default configurations mitigate some risk, exploitation can be moderately easy if specific settings are enabled.

Affected Software

Technical Details

The vulnerability arises when Apache Tomcat's CGI Servlet, specifically with the `enableCmdLineArguments` option enabled on a Windows operating system, processes command line arguments. A bug within the Java Runtime Environment (JRE) on Windows allows for improper handling or parsing of these arguments. An attacker can craft malicious input within the command line arguments that, due to the JRE's parsing flaw, is then executed by the underlying operating system. This essentially bypasses expected argument parsing and allows the attacker to inject and execute arbitrary commands. The CGI Servlet itself is disabled by default, and `enableCmdLineArguments` is also disabled by default in newer Tomcat versions, but if these are explicitly enabled, the attack vector becomes viable.

What is the Impact of CVE-2019-0232?

Successful exploitation may allow attackers to execute arbitrary code on the compromised server, potentially leading to full system compromise, data exfiltration, or denial-of-service conditions.

What is the Exploitability of CVE-2019-0232?

Exploitation of this vulnerability requires specific configuration in the target Apache Tomcat server: the CGI Servlet must be enabled, and importantly, the `enableCmdLineArguments` option must also be enabled. Since both are disabled by default, preconditions involve a non-default setup. The attack is remote, requiring no authentication, and can be initiated by sending a specially crafted request to the CGI Servlet. The complexity is moderate, relying on the attacker's ability to craft arguments that leverage the JRE's Windows-specific parsing flaw. The presence of these specific configuration settings significantly increases the likelihood of successful exploitation.

What are the Known Public Exploits?

What are the Available Fixes for CVE-2019-0232?

Available Upgrade Options

• org.apache.tomcat.embed:tomcat-embed-core
  • >7.0.0, <7.0.94 → Upgrade to 7.0.94
• org.apache.tomcat.embed:tomcat-embed-core
  • >8.0.0, <8.5.40 → Upgrade to 8.5.40
• org.apache.tomcat.embed:tomcat-embed-core
  • >9.0.0.M1, <9.0.17 → Upgrade to 9.0.17

Additional Resources

• https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html
• https://lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35%40%3Ccommits.ofbiz.apache.org%3E
• https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
• https://www.oracle.com/security-alerts/cpuapr2020.html
• https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
• https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/
• https://lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715%40%3Cdev.tomcat.apache.org%3E
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way

What are Similar Vulnerabilities to CVE-2019-0232?

Similar Vulnerabilities: CVE-2017-12617 , CVE-2017-12615 , CVE-2014-0096 , CVE-2019-0220 , CVE-2020-1938