When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

The version of Tomcat installed on the remote host is prior to 9.0.19. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.19_security-9 advisory.

  - When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to     9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way     the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option     enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all     versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus     Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-     windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.m     icrosoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-     way/). (CVE-2019-0232)

  - The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes     user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The     printenv command is intended for debugging and is unlikely to be present in a production website.
    (CVE-2019-0221)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 9.0.18. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.18_security-9 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 / 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:3929 advisory.

    Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web     applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster),     the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

    This release of Red Hat JBoss Web Server 5.2 serves as a replacement for Red Hat JBoss Web Server 5.1, and     includes bug fixes, enhancements, and component upgrades, which are documented in the Release Notes,     linked to in the References.

    Security Fix(es):

    * openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) (CVE-2018-5407)

    * openssl: 0-byte record padding oracle (CVE-2019-1559)

    * tomcat: HTTP/2 connection window exhaustion on write, incomplete fix of CVE-2019-0199 (CVE-2019-10072)

    * tomcat: XSS in SSI printenv (CVE-2019-0221)

    * tomcat: Apache Tomcat HTTP/2 DoS (CVE-2019-0199)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

When the default servlet in Apache Tomcat returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. (CVE-2018-11784)

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injec tions-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microso ft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command
-line-arguments-the-wrong-way/). (CVE-2019-0232)

The HTTP/2 implementation in Apache Tomcat accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-0199)

The version of Tomcat installed on the remote Windows host is prior to 8.5.40. It is, therefore, affected by a remote code execution vulnerability due to a bug in the way the JRE passes command line arguments to Windows. An unauthenticated, remote attacker can exploit this to execute arbitrary commands. Additionally, it is affected by a cross-site (XSS) scripting vulnerability as the SSI printenv command echoes user provided data without proper escaping.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote Windows host is version 7.0.x prior to 7.0.94. It is, therefore, affected by a remote code execution vulnerability due to a bug in the way the JRE passes command line arguments to Windows. An unauthenticated, remote attacker can exploit this to execute arbitrary commands. Additionally, it is affected by a cross-site (XSS) scripting vulnerability as the SSI printenv command echoes user provided data without proper escaping.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 or 7.0.0 to 7.0.93. It is, therefore, affected by a remote code execution vulnerability when running on Windows with enableCmdLineArguments enabled due to a bug in the way the JRE passes command line arguments to Windows.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 7.0.94. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_7.0.94_security-7 advisory.

  - When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to     9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way     the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option     enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all     versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus     Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-     windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.m     icrosoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-     way/). (CVE-2019-0232)

  - The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes     user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The     printenv command is intended for debugging and is unlikely to be present in a production website.
    (CVE-2019-0221)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 8.5.40. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_8.5.40_security-8 advisory.

  - When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to     9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way     the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option     enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all     versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus     Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-     windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.m     icrosoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-     way/). (CVE-2019-0232)

  - The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes     user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The     printenv command is intended for debugging and is unlikely to be present in a production website.
    (CVE-2019-0221)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.18. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.18_security-9 advisory.

  - When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to     9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way     the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option     enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all     versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus     Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-     windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.m     icrosoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-     way/). (CVE-2019-0232)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
197856	Apache Tomcat 9.0.0.M1 < 9.0.19 multiple vulnerabilities	Nessus	Web Servers	high
701436	Apache Tomcat < 9.0.18 Vulnerability	Nessus Network Monitor	Web Servers	critical
131214	RHEL 6 / 7 / 8 : Red Hat JBoss Web Server 5.2 security (Important) (RHSA-2019:3929)	Nessus	Red Hat Local Security Checks	high
125294	Amazon Linux AMI : tomcat8 (ALAS-2019-1208)	Nessus	Amazon Linux Local Security Checks	high
700698	Apache Tomcat 8.0.x < 8.5.40 Remote Code Execution Vulnerability (Windows)	Nessus Network Monitor	Web Servers	high
700682	Apache Tomcat 7.0.x < 7.0.94 Remote Code Execution Vulnerability (Windows)	Nessus Network Monitor	Web Servers	high
98541	Apache Tomcat 7.0.0 < 7.0.94 Remote Code Execution on Windows	Web App Scanning	Component Vulnerability	high
98540	Apache Tomcat 8.5.0 < 8.5.40 Remote Code Execution on Windows	Web App Scanning	Component Vulnerability	high
98539	Apache Tomcat 9.0.0.M1 < 9.0.19 Remote Code Execution on Windows	Web App Scanning	Component Vulnerability	high
124064	Apache Tomcat 7.0.0 < 7.0.94 multiple vulnerabilities	Nessus	Web Servers	high
124063	Apache Tomcat 8.5.0 < 8.5.40 multiple vulnerabilities	Nessus	Web Servers	high
124058	Apache Tomcat 9.0.0.M1 < 9.0.18	Nessus	Web Servers	high

Detections

Analytics

CVE-2019-0232

high

Tenable Plugins

high

critical

high

high

high

high

high

high

high

high

high

high