+8Recently came across this CVE and haven't seen it posted yet.
http://mail-archives.us.apache.org/mod_mbox/www-announce/201904.mbox/%3C13d878ec-5d49-c348-48d4-25a6c81b9605%40apache.org%3E
This seems to effect all current versions of Jamf Pro running on Windows.
Until Tomcat is updated in a future Jamf Pro release the current mitigation is to ensure the enableCmdLineArguments parameter of the CGI servlet is set to false.
+8Hello @adthree & @afarnsworth -
This CVE was fixed in Tomcat 8.5.40 which was released last Saturday, April 13th and is included in the RC of Jamf Pro 10.12.0.
+6@drhoten thats what I was hoping for! Any concerns with disabling the enableCmdLineArguments from the Jamf side of things in the interim while we wait for 10.12 to drop?
+12@adthree By default CGI support is disabled in Tomcat. If CGI support is explicitly enabled, then the default value for 'enableCmdLineArguments' is false:
https://tomcat.apache.org/tomcat-8.5-doc/cgi-howto.html
By default CGI support is disabled in Tomcat.
- enableCmdLineArguments - Are command line arguments generated from the query string as per section 4.4 of 3875 RFC? The default is false.
This can be verified by checking for the servlet class 'org.apache.catalina.servlets.CGIServlet' in web.xml at the Tomcat level ($CATALINA_BASE/conf/web.xml) and/or at the web application level (./WEB-INF/web.xml). This servlet is commented out in the Tomcat web.xml and does not exist in the web.xml for the Jamf Pro web application.
In any case, it should not be a problem to explicitly set 'enableCmdLineArguments' to false since that should be the default setting already, but this has not been officially tested or verified by Jamf since Apache Tomcat 8.5.40, which remediates this issue, will be shipped with the next release of Jamf Pro.
Let us know if you run into any problems or if there are any other questions or concerns.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.