New Detection for RCE in Apache Tomcat on Windows

Document created by Dave Ferguson Employee on Apr 27, 2019Last modified by Dave Ferguson Employee on Apr 27, 2019
Version 3Show Document
  • View in full screen mode
Hello all
Qualys WAS has been updated with a new detection for CVE-2019-0232, a remote code execution (RCE) vulnerability in Apache Tomcat running on Microsoft Windows.  This is a very serious vulnerability, but it is exploitable only when CGI Servlet is enabled in Tomcat.  CGI Servlet is disabled by default, so the number of exposed Tomcat instances is much less than it could have been otherwise.


Ensure that QID 150240 is enabled in your WAS vulnerability scans to test for this issue.  More details about the vulnerability can be found at the Apache Tomcat security advisory.