Support Content Notification - Support Portal

BSA-2019-784

Product/Component

Brocade Fabric OS

2 more products

Notification Id

21663

Last Updated

16 April 2019

Initial Publication Date

16 April 2019

Status

Closed

Severity

Medium

CVSS Base Score

8.1

WorkAround

N/A

Affected CVE

CVE-2019-0232

Summary

Security Advisory ID : BSA-2019-784

Component : Apache Tomcat

Revision : 1.0: Initial

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

Products Confirmed Not Vulnerable

No Brocade Fibre Channel technology products from Broadcom are currently known to be affected by this vulnerability.

Revision History

Version	Change	Date
1.0	Initial Publication	April 18, 2019