Author: markt Date: Wed Apr 10 11:02:51 2019 New Revision: 1857239 URL: http://svn.apache.org/viewvc?rev=1857239&view=rev Log: Add details of CVE-2019-0232
Modified: tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/xdocs/security-7.xml tomcat/site/trunk/xdocs/security-8.xml tomcat/site/trunk/xdocs/security-9.xml Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1857239&r1=1857238&r2=1857239&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Wed Apr 10 11:02:51 2019 @@ -211,6 +211,9 @@ <a href="#Apache_Tomcat_7.x_vulnerabilities">Apache Tomcat 7.x vulnerabilities</a> </li> <li> +<a href="#Fixed_in_Apache_Tomcat_7.0.94">Fixed in Apache Tomcat 7.0.94</a> +</li> +<li> <a href="#Fixed_in_Apache_Tomcat_7.0.91">Fixed in Apache Tomcat 7.0.91</a> </li> <li> @@ -394,6 +397,40 @@ </div> +<h3 id="Fixed_in_Apache_Tomcat_7.0.94"> +<span class="pull-right">not yet released</span> Fixed in Apache Tomcat 7.0.94</h3> +<div class="text"> + + +<p> +<strong>Important: Remote Code Execution on Windows</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232" rel="nofollow">CVE-2019-0232</a> +</p> + + +<p>When running on Windows with enableCmdLineArguments enabled, the CGI + Servlet is vulnerable to Remote Code Execution due to a bug in the way + the JRE passes command line arguments to Windows. The CGI Servlet is + disabled by default. For a detailed explanation of the JRE behaviour, see + <a href="https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html">Markus + Wulftange's blog</a> and this archived + <a href="https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/">MSDN + blog</a>.</p> + + +<p>This was fixed with commit <a href="https://github.com/apache/tomcat/commit/7f0221b">7f0221b</a>.</p> + + +<p>This issue was identified by an external security researcher and reported + to the Apache Tomcat security team via the bug bounty program sponsored + by the EU FOSSA-2 project on 3rd March 2019. The issue was made public on + 10 April 2019.</p> + + +<p>Affects: 7.0.0 to 7.0.93</p> + + +</div> <h3 id="Fixed_in_Apache_Tomcat_7.0.91"> <span class="pull-right">19 September 2018</span> Fixed in Apache Tomcat 7.0.91</h3> <div class="text"> Modified: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1857239&r1=1857238&r2=1857239&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-8.html (original) +++ tomcat/site/trunk/docs/security-8.html Wed Apr 10 11:02:51 2019 @@ -211,6 +211,9 @@ <a href="#Apache_Tomcat_8.x_vulnerabilities">Apache Tomcat 8.x vulnerabilities</a> </li> <li> +<a href="#Fixed_in_Apache_Tomcat_8.5.40">Fixed in Apache Tomcat 8.5.40</a> +</li> +<li> <a href="#Fixed_in_Apache_Tomcat_8.5.38">Fixed in Apache Tomcat 8.5.38</a> </li> <li> @@ -373,6 +376,40 @@ </div> +<h3 id="Fixed_in_Apache_Tomcat_8.5.40"> +<span class="pull-right">not yet released</span> Fixed in Apache Tomcat 8.5.40</h3> +<div class="text"> + + +<p> +<strong>Important: Remote Code Execution on Windows</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232" rel="nofollow">CVE-2019-0232</a> +</p> + + +<p>When running on Windows with enableCmdLineArguments enabled, the CGI + Servlet is vulnerable to Remote Code Execution due to a bug in the way + the JRE passes command line arguments to Windows. The CGI Servlet is + disabled by default. For a detailed explanation of the JRE behaviour, see + <a href="https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html">Markus + Wulftange's blog</a> and this archived + <a href="https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/">MSDN + blog</a>.</p> + + +<p>This was fixed with commit <a href="https://github.com/apache/tomcat/commit/5bc4e6d">5bc4e6d</a>.</p> + + +<p>This issue was identified by an external security researcher and reported + to the Apache Tomcat security team via the bug bounty program sponsored + by the EU FOSSA-2 project on 3rd March 2019. The issue was made public on + 10 April 2019.</p> + + +<p>Affects: 8.5.0 to 8.5.39</p> + + +</div> <h3 id="Fixed_in_Apache_Tomcat_8.5.38"> <span class="pull-right">8 February 2019</span> Fixed in Apache Tomcat 8.5.38</h3> <div class="text"> Modified: tomcat/site/trunk/docs/security-9.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1857239&r1=1857238&r2=1857239&view=diff ============================================================================== --- tomcat/site/trunk/docs/security-9.html (original) +++ tomcat/site/trunk/docs/security-9.html Wed Apr 10 11:02:51 2019 @@ -211,6 +211,9 @@ <a href="#Apache_Tomcat_9.x_vulnerabilities">Apache Tomcat 9.x vulnerabilities</a> </li> <li> +<a href="#Fixed_in_Apache_Tomcat_9.0.18">Fixed in Apache Tomcat 9.0.18</a> +</li> +<li> <a href="#Fixed_in_Apache_Tomcat_9.0.16">Fixed in Apache Tomcat 9.0.16</a> </li> <li> @@ -313,6 +316,42 @@ </div> +<h3 id="Fixed_in_Apache_Tomcat_9.0.18"> +<span class="pull-right">not yet released</span> Fixed in Apache Tomcat 9.0.18</h3> +<div class="text"> + + +<p> +<strong>Important: Remote Code Execution on Windows</strong> + <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232" rel="nofollow">CVE-2019-0232</a> +</p> + + +<p>When running on Windows with enableCmdLineArguments enabled, the CGI + Servlet is vulnerable to Remote Code Execution due to a bug in the way + the JRE passes command line arguments to Windows. The CGI Servlet is + disabled by default. The CGI option enableCmdLineArguments is disabled by + default in Tomcat 9.0.x. For a detailed explanation of the JRE behaviour, + see + <a href="https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html">Markus + Wulftange's blog</a> and this archived + <a href="https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/">MSDN + blog</a>.</p> + + +<p>This was fixed with commit <a href="https://github.com/apache/tomcat/commit/4b244d8">4b244d8</a>.</p> + + +<p>This issue was identified by an external security researcher and reported + to the Apache Tomcat security team via the bug bounty program sponsored + by the EU FOSSA-2 project on 3rd March 2019. The issue was made public on + 10 April 2019.</p> + + +<p>Affects: 9.0.0.M1 to 9.0.17</p> + + +</div> <h3 id="Fixed_in_Apache_Tomcat_9.0.16"> <span class="pull-right">8 February 2019</span> Fixed in Apache Tomcat 9.0.16</h3> <div class="text"> Modified: tomcat/site/trunk/xdocs/security-7.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1857239&r1=1857238&r2=1857239&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-7.xml (original) +++ tomcat/site/trunk/xdocs/security-7.xml Wed Apr 10 11:02:51 2019 @@ -50,6 +50,31 @@ </section> + <section name="Fixed in Apache Tomcat 7.0.94" rtext="not yet released"> + + <p><strong>Important: Remote Code Execution on Windows</strong> + <cve>CVE-2019-0232</cve></p> + + <p>When running on Windows with enableCmdLineArguments enabled, the CGI + Servlet is vulnerable to Remote Code Execution due to a bug in the way + the JRE passes command line arguments to Windows. The CGI Servlet is + disabled by default. For a detailed explanation of the JRE behaviour, see + <a href="https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html">Markus + Wulftange's blog</a> and this archived + <a href="https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/">MSDN + blog</a>.</p> + + <p>This was fixed with commit <hashlink hash="7f0221b">7f0221b</hashlink>.</p> + + <p>This issue was identified by an external security researcher and reported + to the Apache Tomcat security team via the bug bounty program sponsored + by the EU FOSSA-2 project on 3rd March 2019. The issue was made public on + 10 April 2019.</p> + + <p>Affects: 7.0.0 to 7.0.93</p> + + </section> + <section name="Fixed in Apache Tomcat 7.0.91" rtext="19 September 2018"> <p><strong>Moderate: Open Redirect</strong> Modified: tomcat/site/trunk/xdocs/security-8.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1857239&r1=1857238&r2=1857239&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-8.xml (original) +++ tomcat/site/trunk/xdocs/security-8.xml Wed Apr 10 11:02:51 2019 @@ -50,6 +50,31 @@ </section> + <section name="Fixed in Apache Tomcat 8.5.40" rtext="not yet released"> + + <p><strong>Important: Remote Code Execution on Windows</strong> + <cve>CVE-2019-0232</cve></p> + + <p>When running on Windows with enableCmdLineArguments enabled, the CGI + Servlet is vulnerable to Remote Code Execution due to a bug in the way + the JRE passes command line arguments to Windows. The CGI Servlet is + disabled by default. For a detailed explanation of the JRE behaviour, see + <a href="https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html">Markus + Wulftange's blog</a> and this archived + <a href="https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/">MSDN + blog</a>.</p> + + <p>This was fixed with commit <hashlink hash="5bc4e6d">5bc4e6d</hashlink>.</p> + + <p>This issue was identified by an external security researcher and reported + to the Apache Tomcat security team via the bug bounty program sponsored + by the EU FOSSA-2 project on 3rd March 2019. The issue was made public on + 10 April 2019.</p> + + <p>Affects: 8.5.0 to 8.5.39</p> + + </section> + <section name="Fixed in Apache Tomcat 8.5.38" rtext="8 February 2019"> <p><strong>Important: Denial of Service</strong> Modified: tomcat/site/trunk/xdocs/security-9.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-9.xml?rev=1857239&r1=1857238&r2=1857239&view=diff ============================================================================== --- tomcat/site/trunk/xdocs/security-9.xml (original) +++ tomcat/site/trunk/xdocs/security-9.xml Wed Apr 10 11:02:51 2019 @@ -50,6 +50,33 @@ </section> + <section name="Fixed in Apache Tomcat 9.0.18" rtext="not yet released"> + + <p><strong>Important: Remote Code Execution on Windows</strong> + <cve>CVE-2019-0232</cve></p> + + <p>When running on Windows with enableCmdLineArguments enabled, the CGI + Servlet is vulnerable to Remote Code Execution due to a bug in the way + the JRE passes command line arguments to Windows. The CGI Servlet is + disabled by default. The CGI option enableCmdLineArguments is disabled by + default in Tomcat 9.0.x. For a detailed explanation of the JRE behaviour, + see + <a href="https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html">Markus + Wulftange's blog</a> and this archived + <a href="https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/">MSDN + blog</a>.</p> + + <p>This was fixed with commit <hashlink hash="4b244d8">4b244d8</hashlink>.</p> + + <p>This issue was identified by an external security researcher and reported + to the Apache Tomcat security team via the bug bounty program sponsored + by the EU FOSSA-2 project on 3rd March 2019. The issue was made public on + 10 April 2019.</p> + + <p>Affects: 9.0.0.M1 to 9.0.17</p> + + </section> + <section name="Fixed in Apache Tomcat 9.0.16" rtext="8 February 2019"> <p><i>Note: The issue below was fixed in Apache Tomcat 9.0.15 but the --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org