Apache Software Foundation has released new versions of Apache Tomcat 7, 8 and 9 to address a vulnerability in CGI servlet. Attackers could exploit the vulnerability to pass command line arguments to the Windows environment through the Java Runtime Environment (JRE).
Successful exploitation of the vulnerability could lead to arbitrary code execution on an affected system.
The Apache Software Foundation has released new version of the products to address the issue and they can be downloaded at the following URL:
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.94
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.40
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.19
http://mail-archives.us.apache.org/mod_mbox/www-announce/201904.mbox/%3C13d878ec-5d49-c348-48d4-25a6c81b9605%40apache.org%3E
https://www.us-cert.gov/ncas/current-activity/2019/04/14/Apache-Releases-Security-Updates-Apache-Tomcat
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232