Enablecmdlinearguments

Posted onby admin

Our application server (Apache Tomcat Plume) that use jta-managed data source through tomee.xml file should access database server just in secure (HTTPS) mode with two way ssl or client authenticat. Description When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. Are enabled (via enableCmdLineArguments) and Tomcat is running: on Windows then each individual decoded command line argument must match this: pattern else the request will be rejected. This is to protect against known: issues passing command line arguments from Java to Windows. These issues can: lead to remote code execution.

How to enable command prompt

Cmd Line Commands

<Cluster className='org.apache.catalina.ha.tcp.SimpleTcpCluster' channelSendOptions='8'><Manager notifyListenersOnReplication='true' expireSessionsOnShutdown='false'className='org.apache.catalina.ha.session.DeltaManager'></Manager><Channel className='org.apache.catalina.tribes.group.GroupChannel'><Membership port='45565' dropTime='3000' address='228.0.0.4'className='org.apache.catalina.tribes.membership.McastService' frequency='500'></Membership><Receiver port='4003' autoBind='100' address='auto' selectorTimeout='5000'maxThreads='6' className='org.apache.catalina.tribes.transport.nio.NioReceiver'></Receiver><Sender className='org.apache.catalina.tribes.transport.ReplicationTransmitter'><TransportclassName='org.apache.catalina.tribes.transport.nio.PooledParallelSender'></Transport></Sender><InterceptorclassName='org.apache.catalina.tribes.group.interceptors.TcpFailureDetector'></Interceptor><InterceptorclassName='org.apache.catalina.tribes.group.interceptors.MessageDispatch15Interceptor'></Interceptor></Channel><Valve className='org.apache.catalina.ha.tcp.ReplicationValve' filter='></Valve><Valve className='org.apache.catalina.ha.session.JvmRouteBinderValve'></Valve><ClusterListenerclassName='org.apache.catalina.ha.session.JvmRouteSessionIDBinderListener'></ClusterListener><ClusterListener className='org.apache.catalina.ha.session.ClusterSessionListener”></ClusterListener></Cluster>