Apache Tomcat remote code execution vulnerability

Cyber forensics course experts from the International Institute of Cyber Security (IICS) report that Apache Software Foundation (ASF) is launching new versions of Tomcat, its application server. According to experts, this is due to the presence of a vulnerability that would allow a remote hacker to execute malicious code and take control of the compromised server. 

Tomcat is a development of ASF; it is an open source web server and a servlet system that uses several Java specs, such as Java Servlet, JavaServer Pages, and Expression Language to provide an HTTP server environment where Java can be run.

The Remote Code execution Vulnerability (identified as CVE-2019-0232) resides in the Common Gateway Interface (CGI) Servlet when running on Windows with enableCmdLineArguments enabled; the vulnerability occurs because of an error in how the Java runtime environment passes the command-line arguments to Windows, reported cyber forensics course specialists.

The remote code execution vulnerability has been rated ‘important, but not critical’ because both the CGI Servlet and the enableCmdLineArguments option are disabled by default in Apache Tomcat versions 9.0.x. In Addition, ASF reported that, as a security measure, the enableCmdLineArguments option of the CGI servlet will be disabled by default in all versions of Apache Tomcat.

Cyber forensics specialists mention that, if successfully exploited, this vulnerability would allow a threat actor to execute arbitrary commands on a specific Windows server running the vulnerable version of Apache Tomcat, which could completely compromise the attacked server.

ASF mentions that Tomcat security managers received the vulnerability report early in the month of March; the vulnerability was publicly disclosed in recent days, after Apache published the corresponding update patches. 

ASF has recommended that administrators install these fixes as soon as possible; if it is not possible to update the systems immediately, it is recommended to ensure that enableCmdLineArguments of the CGI initialization parameter is false.