Vulnerabilidad en múltiples versiones de Apache Tomcat (CVE-2019-0232)
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-78
Neutralización incorrecta de elementos especiales usados en un comando de sistema operativo (Inyección de comando de sistema operativo)
Fecha de publicación:
15/04/2019
Última modificación:
08/12/2023
Descripción
Cuando se ejecuta Windows con enableCmdLineArguments activado, el Servlet CGI en Apache Tomcat 9.0.0.0.M1 a 9.0.17, 8.5.0 a 8.5.39 y 7.0.0.0 a 7.0.93 es vulnerable a una Ejecución Remota de Código debido a un error en la forma en que el JRE pasa los argumentos de la línea de comando a Windows. El Servlet CGI está deshabilitado por defecto. La opción CGI enableCmdLineArguments está desactivada por defecto en Tomcat 9.0.x (y será desactivada por defecto en todas las versiones en respuesta a esta vulnerabilidad). Para una explicación detallada del comportamiento de JRE, consulte el blog de Markus Wulftange (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) y este blog de MSDN archivado (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
Impacto
Puntuación base 3.x
8.10
Gravedad 3.x
ALTA
Puntuación base 2.0
9.30
Gravedad 2.0
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* | 7.0.0 (incluyendo) | 7.0.93 (incluyendo) |
| cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* | 8.5.0 (incluyendo) | 8.5.39 (incluyendo) |
| cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* | 9.0.1 (incluyendo) | 9.0.17 (incluyendo) |
| cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- http://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html
- http://seclists.org/fulldisclosure/2019/May/4
- http://www.securityfocus.com/bid/107906
- https://access.redhat.com/errata/RHSA-2019:1712
- https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/
- https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html
- https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/52ffb9fbf661245386a83a661183d13f1de2e5779fa23837a08e02ac%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/5f297a4b9080b5f65a05bc139596d0e437d6a539b25e31d29d028767%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/673b6148d92cd7bc99ea2dcf85ad75d57da44fc322d51f37fb529a2a%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/96849486813a95dfd542e1618b7923ca945508aaf4a4341f674d83e3%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35%40%3Ccommits.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/dd4b325cdb261183dbf5ce913c102920a8f09c26dae666a98309165b%40%3Cnotifications.ofbiz.apache.org%3E
- https://lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
- https://security.netapp.com/advisory/ntap-20190419-0001/
- https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/
- https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-784
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.synology.com/security/advisory/Synology_SA_19_17
- https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/