Apache Tomcat 8.5.40 Released & CVE-2019-0232


#1

My Nexus IQ Server says:
Apache Tomcat 8.5.40 (Group:org.apache.tomcat.embed Artifact:tomcat-embed-core Version: 8.5.40) has CVE-2019-0232

Apache Tomcat says

Tomcat 8.5.40 Released

The Apache Tomcat Project is proud to announce the release of version 8.5.40 of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged. The notable changes compared to 8.5.39 include:

  • Fix for CVE-2019-0232, an RCE vulnerability on Windows
  • Add support for Java 11 to the JSP compiler. Java 12 and 13 are also now supported if used with a ECJ version with support for those Java versions
  • Various NIO2 stability improvements

Full details of these changes, and all the other changes, are available in the Tomcat 8.5 changelog.


#2

Hey Peter,

Thanks for taking the time to post this. I’m going to ping our data team and have them take a look. We’ll get back to you with more information soon!

Cheers,

Nick


#3

Thanks. see: NVD - CVE-2019-0232 apache tomcat version 8.5.40 is NOT listed.


#4

Hi Peter,

To follow up on this, it looks like our Full Deep Dive research was recently completed on CVE-2019-0232. Unfortunately 8.5.40 was not published by the time we completed our research so the range was left open-ended. Our system was notified of the 8.5.40 release and that data is working its way through the pipeline.

I would expect you will see this updated in IQ server in a few days.

Hope that helps!

Cheers,
Nick


#5

Nick,

Do you have a time frame when this will be updated in the IQ server? Could you please notify me when you make the update?

Thanks,

Peter.