Posted on 04-22-2019 07:50 AM
Recently came across this CVE and haven't seen it posted yet.
This seems to effect all current versions of Jamf Pro running on Windows.
Until Tomcat is updated in a future Jamf Pro release the current mitigation is to ensure the enableCmdLineArguments parameter of the CGI servlet is set to false.
Posted on 04-22-2019 09:18 AM
Posted on 04-22-2019 10:25 AM
Hello @adthree & @afarnsworth -
This CVE was fixed in Tomcat 8.5.40 which was released last Saturday, April 13th and is included in the RC of Jamf Pro 10.12.0.
Posted on 04-22-2019 11:31 AM
@drhoten thats what I was hoping for! Any concerns with disabling the enableCmdLineArguments from the Jamf side of things in the interim while we wait for 10.12 to drop?
Posted on 04-22-2019 02:01 PM
@adthree By default CGI support is disabled in Tomcat. If CGI support is explicitly enabled, then the default value for 'enableCmdLineArguments' is false:
By default CGI support is disabled in Tomcat.
- enableCmdLineArguments - Are command line arguments generated from the query string as per section 4.4 of 3875 RFC? The default is false.
This can be verified by checking for the servlet class 'org.apache.catalina.servlets.CGIServlet' in web.xml at the Tomcat level ($CATALINA_BASE/conf/web.xml) and/or at the web application level (./WEB-INF/web.xml). This servlet is commented out in the Tomcat web.xml and does not exist in the web.xml for the Jamf Pro web application.
In any case, it should not be a problem to explicitly set 'enableCmdLineArguments' to false since that should be the default setting already, but this has not been officially tested or verified by Jamf since Apache Tomcat 8.5.40, which remediates this issue, will be shipped with the next release of Jamf Pro.
Let us know if you run into any problems or if there are any other questions or concerns.