Apache fixes dangerous RCE flaw in Tomcat application server
Vulnerability affects multiple versions of the software running on Windows
The Apache Software Foundation has issued an update for its Tomcat application server software addressing an important remote code execution vulnerability.
Developed and offered under open source licenses, Tomcat is a Servlet container for Java apps designed to provide a web server environment purely comprised of Java specifications and frameworks.
The flaw, designated as CVE-2019-0232, affects Tomcat versions 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93. The error is caused by a problem with how command line arguments are passed from the Java Runtime Environment to Windows, and affects instances of the CGI Servlet running on Windows with command line arguments enabled.
Although this vulnerability could allow hackers to remotely execute code on affected servers, its severity was designated as 'important' rather than 'critical', due to the fact that the Servlet in question is disabled by default, as is the option to enable command line arguments in later Tomcat versions.
The flaw was discovered and reported to Apache earlier this month by an unnamed security researcher, and was disclosed by the foundation following the release of the patches as part of Tomcat versions 9.0.19, 8.5.40 and 7.0.93.
Admins are urgently advised to patch any affected servers within their estates. Vulnerabilities in Apache software have led to a number of high-profile breaches, including the notorious Equifax hack, which was the result of an unpatched Apache Spark server.
Top 5 challenges of migrating applications to the cloud
Explore how VMware Cloud on AWS helps to address common cloud migration challengesDownload now
3 reasons why now is the time to rethink your network
Changing requirements call for new solutionsDownload now
All-flash buyer’s guide
Tips for evaluating Solid-State ArraysDownload now
Enabling enterprise machine and deep learning with intelligent storage
The power of AI can only be realised through efficient and performant delivery of dataDownload now