Recently came across this CVE and haven't seen it posted yet.
This seems to effect all current versions of Jamf Pro running on Windows.
Until Tomcat is updated in a future Jamf Pro release the current mitigation is to ensure the enableCmdLineArguments parameter of the CGI servlet is set to false.
@adthree By default CGI support is disabled in Tomcat. If CGI support is explicitly enabled, then the default value for 'enableCmdLineArguments' is false:
By default CGI support is disabled in Tomcat.
- enableCmdLineArguments - Are command line arguments generated from the query string as per section 4.4 of 3875 RFC? The default is false.
This can be verified by checking for the servlet class 'org.apache.catalina.servlets.CGIServlet' in web.xml at the Tomcat level ($CATALINA_BASE/conf/web.xml) and/or at the web application level (./WEB-INF/web.xml). This servlet is commented out in the Tomcat web.xml and does not exist in the web.xml for the Jamf Pro web application.
In any case, it should not be a problem to explicitly set 'enableCmdLineArguments' to false since that should be the default setting already, but this has not been officially tested or verified by Jamf since Apache Tomcat 8.5.40, which remediates this issue, will be shipped with the next release of Jamf Pro.
Let us know if you run into any problems or if there are any other questions or concerns.