Our Tenable agent and infosec just pinged me about this, oh boy! Thanks @afarnsworth

Hello @adthree & @afarnsworth -

This CVE was fixed in Tomcat 8.5.40 which was released last Saturday, April 13th and is included in the RC of Jamf Pro 10.12.0.

@drhoten thats what I was hoping for! Any concerns with disabling the enableCmdLineArguments from the Jamf side of things in the interim while we wait for 10.12 to drop?

@adthree By default CGI support is disabled in Tomcat. If CGI support is explicitly enabled, then the default value for 'enableCmdLineArguments' is false:

https://tomcat.apache.org/tomcat-8.5-doc/cgi-howto.html

By default CGI support is disabled in Tomcat.

- enableCmdLineArguments - Are command line arguments generated from the query string as per section 4.4 of 3875 RFC? The default is false.

This can be verified by checking for the servlet class 'org.apache.catalina.servlets.CGIServlet' in web.xml at the Tomcat level ($CATALINA_BASE/conf/web.xml) and/or at the web application level (./WEB-INF/web.xml). This servlet is commented out in the Tomcat web.xml and does not exist in the web.xml for the Jamf Pro web application.

In any case, it should not be a problem to explicitly set 'enableCmdLineArguments' to false since that should be the default setting already, but this has not been officially tested or verified by Jamf since Apache Tomcat 8.5.40, which remediates this issue, will be shipped with the next release of Jamf Pro.

Let us know if you run into any problems or if there are any other questions or concerns.