Bug 1701056 (CVE-2019-0232)
Summary: | CVE-2019-0232 tomcat: Remote Code Execution on Windows | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | aileenc, alazarot, alee, anstephe, avibelli, bgeorges, bmaxwell, cdewolf, chazlett, cmoulliard, coolsvap, csutherl, darran.lofthouse, dimitris, dosoudil, drieden, etirelli, fgavrilo, gvarsami, gzaronik, hhorak, ibek, ikanello, ivan.afonichev, java-sig-commits, jawilson, jbalunas, jclere, jcoleman, jdoyle, jochrist, jolee, jondruse, jorton, jpallich, jschatte, jshepherd, jstastny, kconner, krathod, krzysztof.daniel, kverlaen, ldimaggi, lgao, loleary, lpetrovi, lthon, mbabacek, mizdebsk, mszynkie, myarboro, nwallace, paradhya, pgallagh, pgier, ppalaga, psakar, pslavice, rhcs-maint, rnetuka, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, rzhang, sdaley, spinder, tcunning, theute, tkirby, trogers, twalsh, vhalbert, vtunka, weli, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | tomcat 7.0.94, tomcat 8.5.40, tomcat 9.0.19 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was discovered in Apache Tomcat, where a Java Runtime Environment can pass a command-line argument in the Windows operating system. The execution of arbitrary commands via Tomcat’s Common Gateway Interface (CGI) Servlet, allows an attacker to perform remote code execution.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-07-12 13:07:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1700240 |
Description
Laura Pardo
2019-04-17 21:47:48 UTC
Statement: This vulnerability is specific to the Windows platform's treatment of file names and how they must be quoted. Tomcat running on Linux hosts is not affected. This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2019:1712 https://access.redhat.com/errata/RHSA-2019:1712 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-0232 |