Apache Tomcat 8.5.40 Released & CVE-2019-0232

pechandler · April 16, 2019, 12:03am

My Nexus IQ Server says:
Apache Tomcat 8.5.40 (Group:org.apache.tomcat.embed Artifact:tomcat-embed-core Version: 8.5.40) has CVE-2019-0232

Apache Tomcat says

Tomcat 8.5.40 Released

The Apache Tomcat Project is proud to announce the release of version 8.5.40 of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged. The notable changes compared to 8.5.39 include:

Fix for CVE-2019-0232, an RCE vulnerability on Windows
Add support for Java 11 to the JSP compiler. Java 12 and 13 are also now supported if used with a ECJ version with support for those Java versions
Various NIO2 stability improvements

Full details of these changes, and all the other changes, are available in the Tomcat 8.5 changelog.

nickcook · April 16, 2019, 12:29am

Hey Peter,

Thanks for taking the time to post this. I’m going to ping our data team and have them take a look. We’ll get back to you with more information soon!

Cheers,

Nick

pechandler · April 16, 2019, 12:36am

Thanks. see: NVD - CVE-2019-0232 apache tomcat version 8.5.40 is NOT listed.

nickcook · April 16, 2019, 3:41pm

Hi Peter,

To follow up on this, it looks like our Full Deep Dive research was recently completed on CVE-2019-0232. Unfortunately 8.5.40 was not published by the time we completed our research so the range was left open-ended. Our system was notified of the 8.5.40 release and that data is working its way through the pipeline.

I would expect you will see this updated in IQ server in a few days.

Hope that helps!

Cheers,
Nick

pechandler · April 18, 2019, 4:42pm

Nick,

Do you have a time frame when this will be updated in the IQ server? Could you please notify me when you make the update?

Thanks,

Peter.