Synology-SA-19:17 Tomcat
Publish Time: 2019-04-17 17:42:06 UTC+8
Last Updated: 2019-05-30 10:22:12 UTC+8
- Severity
- Not affected
- Status
- Resolved
Abstract
Since CVE-2019-0232 only affects when Tomcat is deployed on Microsoft Windows, none of the Synology products are affected as Synology Tomcat7 and Tomcat6 are restricted to execute on DiskStation Manager (DSM).
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| Tomcat7 | Not affected | N/A |
| Tomcat6 | Not affected | N/A |
Mitigation
None
Detail
- CVE-2019-0232
- Severity: Not affected
- CVSS3 Base Score: 0.0
- CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
- When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
Reference
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2019-04-17 | Initial public release. |
| 2 | 2019-05-30 | Disclosed vulnerability details. |