The Apache Software Foundation has released an update to its Tomcat application server software, which addresses a major vulnerability. It concerns a remote code execution vulnerability, writes IT Pro.
Tomcat is developed and offered under open source licenses. It is a Servlet container for Java apps, designed to provide a web server environment consisting only of Java specifications and frameworks. The service now contains a vulnerability that allows hackers to remotely execute code on the servers.
Not critical
The vulnerability, called CVE-2019-0232, impacts Tomcat versions 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93. The error is caused by a problem with how command line arguments are passed from the Java Runtime Environment to Windows, and touches instances of the CGI Servlet running on Windows if command line arguments are enabled.
Although the vulnerability enables hackers to remotely execute code on affected servers, the severity level was set at ‘important’ rather than ‘critical’. This is because the Servlet in question is off by default, as is the option to enable command line arguments in later Tomcat versions.
The vulnerability was discovered earlier this month and reported to Apache by an unknown security investigator. The Foundation revealed the vulnerability after the release of its patches, as part of Tomcat versions 9.0.19, 8.5.40 and 7.0.93. Administrators are advised to install the patch on affected servers.
Previous vulnerability
Earlier this month, it was announced that the Apache HTTP Server – the most widely used Web server on the Internet – also contained a serious vulnerability. This made it possible for non-confidential users or software to gain unrestricted control over the machine on which the software runs.
The vulnerability made it possible to execute scripts without privileges to overwrite sensitive parts of the server’s memory. A rogue script could use that vulnerability to get root access. The error has now been solved.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.