Nexus Intelligence Insights: CVE-2019-0232 - Apache Tomcat CGI Servlet Remote Code Execution

April 26, 2019 By Elisa Velarde

3 minute read time

In this month’s edition of Nexus Intelligence Insights we’ll explore a vulnerability that can be exploited through a variety of vectors including through a confusing patch release, which if not implemented wisely, could make the application vulnerable to arbitrary command execution.

Remote code vulnerabilities garner a large amount of  attention due to their potential to cause significant and lasting damage. Their existence opens up a variety of vectors for an attacker to totally compromise the confidentiality, integrity, and availability of mission-critical systems.

The Apache Tomcat suite of tools is one of many component sets that has fallen vulnerable to remote code execution attacks, and as such there are multiple CVEs associated with these issues. With greater than a 60% market share when it comes to Java application server deployments, Tomcat Server is the popular, “go-to” choice of server for Java environments. It’s popularity is both a blessing and a curse.

Part of what Sonatype does every day is take a very granular look at vulnerabilities that have a critical impact on our user base. In many cases, we agree with the project’s general fix and remediation guidance as we hone that information to show the contextual impact on our customer’s specific ecosystems. However, there are instances, and this particular vulnerability is one of those, where we disagree with the advisory and remediation guidance issued by the project.

This month, we’ll talk more about the origin and history of this vulnerability, the initial patch and why we disagree with the project’s prescribed guidance in this case.

Name of Vulnerability/Sonatype ID: CVE-2019-0232

Type of Vulnerability: Remote Code Execution

Components Affected:
The following versions of Apache Tomcat are impacted.

org.apache.tomcat : tomcat-catalina : [9.0.0.M1, 9.0.19)
org.apache.tomcat : tomcat-catalina : [8.0.0-RC1, 8.5.40)
org.apache.tomcat : tomcat-catalina : [7.0.0, 7.0.94)
org.apache.tomcat.embed : tomcat-embed-core : [9.0.0.M1, 9.0.19)
org.apache.tomcat.embed : tomcat-embed-core : [8.0.0-RC1, 8.5.40)
org.apache.tomcat.embed : tomcat-embed-core : [7.0.0, 7.0.94)

Vulnerability Description:

CVE-2019-0232 arises from both a misconfigured default option in some versions, and lack of proper input sanitization, which could lead to an attacker taking over a Windows system. The vulnerability gives attackers the ability to execute arbitrary system commands on a Windows environment on which a vulnerable instance of Tomcat CGI Servlet is running. It must be noted, even though the `enableCmdLineArguments` option is disabled by default in Tomcat 9.0.x, changing this setting due to negligence when configuring will open up this vulnerability. Even more important, the older vulnerable versions without an `enableCmdLineArguments` option remain vulnerable with upgrading to a fixed version being the only remediation.

Attack Mechanics:

For those of you who prefer to see a screenshot. Let’s repeat the “Real World” step-by-step at the code level, but a bit more simplified.

Introduction of this vulnerability shows the ‘command’ variable isn’t being sanitized:

 screenshot 1 for 0232

The fix incorporates “regex” pattern matching to prevent input from executing as commands on Windows systems.

screenshot 2 for 0232

The best remediation path:

As discussed in the video, the most obvious way to prevent a remote code execution attack with this specific vector is to upgrade to the appropriate version and to use proper development “hygiene” to avoid inadvertently enabling the command line arguments by altering the configuration. For 7.0.x, the advisory mentions upgrading to 7.0.93 which appears to be a typographical error as 7.0.93 is not a fixed version. Version 7.0.94 has been released and this contains the fix.

DevOps-native organizations with the ability to continuously deploy software releases have an automation advantage that allows them to stay one step ahead of the hackers. Customers of Sonatype Nexus were notified of CVE-2019-0232 within days of the discovery. Their development teams automatically received specific instructions on how to remediate the risk.

If you're not a Sonatype customer and want to find out if you're using vulnerable component in your application, you can use Sonatype's free Nexus Vulnerability Scanner to quickly find out. 

Visit the Nexus Intelligence Insights page for a deep dive into other vulnerabilities like this one or subscribe to automatically receive Nexus Intelligence Insights hot off the press. 

Tags: vulnerability, vulnerabilities, apache tomcat, remote code execution, featured, Nexus Intelligence, Nexus Intelligence Insights, devsecops architectures, enableCmdline, cve-2019-0232

Written by Elisa Velarde

Elisa was a Senior Product Marketing Manager at Sonatype. She brought over 10 years of experience in sourcing, mentoring, and leading Marketing or full Agile product teams while maintaining a collaborative, cross-departmental approach to support company goals.