Apache Software Foundation (ASF) issued new version of Apache Tomcat web-server for elimination of dangerous vulnerability that enables remote code performance and interception of control over server.Vulnerability CVE-2019-0232 contains in Common Gateway Interface (CGI) Servlet and manifests on Windows with turned parameter «enableCmdLineArguments». Issue linked with mechanism of Java Runtime Environment (JRE) transition arguments of command line. As in versions Tomcat 9.0 and higher CGI Servlet and «enableCmdLineArguments» option switched off by default, bug is not classified as critical.
Vulnerability involves versions of Apache Tomcat from 9.0.0.M.I.till 9.0.17, Apache Tomcat 8.5.0 till 8.5.39 and Apache Tomcat 7.0.0 till 7.0.93. Versions of Apache Tomcat 9.0.18 and lower, Apache Tomcat 8.5.40 and higher and Apache Tomcat 7.0.94 are not sensitive to a problem.
Successful exploitation of vulnerability allows remotely perform code on Windows-servers that use vulnerable Apache Tomcat version and fully compromise the system.
Issues resolved by launching Tomcat 9.0.19, 8.5.40 and 7.0.93 versions. All users received recommendations to fix issues as soon as possible. If this they do not have this opportunity, recommended to put meaning “false” for «enableCmdLineArguments» parameter.