Remote Code Execution Vulnerability In Apache Tomcat
Experts in computer forensics at the International Institute of Cybersecurity (IICS) report that the Apache Software Foundation (ASF) is releasing new versions of Tomcat, its application server. According to the experts, this is due to the presence of a vulnerability that would allow a remote hacker to execute malicious code and take control of the compromised server.
Apache Tomcat is an ASF development; is an open source web server and servlet system that uses various Java specifications, such as Java Servlet, JavaServer Pages and Expression Language to provide an HTTP server environment where Java can be executed .
The remote code execution vulnerability (identified as CVE-2019-0232) resides in the Common Gateway Interface (CGI) Servlet when running on Windows with enableCmdLineArguments enabled; The vulnerability is due to an error in the way the Java runtime environment passes the command line arguments to Windows, experts in computer forensics report.
The remote code execution vulnerability has been rated as 'important, but not critical', because both CGI Servlet and the enableCmdLineArguments option are disabled by default in Apache Tomcat versions 9.0.x. In addition, ASF reported that, as a security measure, the enableCmdLineArguments option of the CGI servlet will be disabled by default in all versions of Apache Tomcat.
Experts in computer forensics mention that, if exploited successfully, this vulnerability would allow a threat actor to execute arbitrary commands on a specific Windows server running the vulnerable version of Apache Tomcat, which could compromise the system attacked completely.
ASF mentions that Tomcat's security officers received the vulnerability report at the beginning of March; the vulnerability was revealed publicly in recent days, after Apache published the corresponding update patches.
ASF has recommended that administrators install these corrections as soon as possible; in case it is not possible to update the systems immediately, it is recommended to make sure that enableCmdLineArguments of the CGI initialization parameter is false.