CVE-2019-0232 - Tomcat Running on Windows

afarnsworth
Contributor

Recently came across this CVE and haven't seen it posted yet.

http://mail-archives.us.apache.org/mod_mbox/www-announce/201904.mbox/%3C13d878ec-5d49-c348-48d4-25a6c81b9605%40apache.org%3E

This seems to effect all current versions of Jamf Pro running on Windows.

Until Tomcat is updated in a future Jamf Pro release the current mitigation is to ensure the enableCmdLineArguments parameter of the CGI servlet is set to false.

4 REPLIES 4

adthree
New Contributor III

Our Tenable agent and infosec just pinged me about this, oh boy! Thanks @afarnsworth

drhoten
Contributor II

Hello @adthree & @afarnsworth -

This CVE was fixed in Tomcat 8.5.40 which was released last Saturday, April 13th and is included in the RC of Jamf Pro 10.12.0.

adthree
New Contributor III

@drhoten thats what I was hoping for! Any concerns with disabling the enableCmdLineArguments from the Jamf side of things in the interim while we wait for 10.12 to drop?

jason_vanzanten
New Contributor III
New Contributor III

@adthree By default CGI support is disabled in Tomcat. If CGI support is explicitly enabled, then the default value for 'enableCmdLineArguments' is false:

https://tomcat.apache.org/tomcat-8.5-doc/cgi-howto.html

By default CGI support is disabled in Tomcat.
- enableCmdLineArguments - Are command line arguments generated from the query string as per section 4.4 of 3875 RFC? The default is false.

This can be verified by checking for the servlet class 'org.apache.catalina.servlets.CGIServlet' in web.xml at the Tomcat level ($CATALINA_BASE/conf/web.xml) and/or at the web application level (./WEB-INF/web.xml). This servlet is commented out in the Tomcat web.xml and does not exist in the web.xml for the Jamf Pro web application.

In any case, it should not be a problem to explicitly set 'enableCmdLineArguments' to false since that should be the default setting already, but this has not been officially tested or verified by Jamf since Apache Tomcat 8.5.40, which remediates this issue, will be shipped with the next release of Jamf Pro.

Let us know if you run into any problems or if there are any other questions or concerns.