Synology-SA-19:17 Tomcat

Publish Time: 2019-04-17 17:42:06 UTC+8

Last Updated: 2019-05-30 10:22:12 UTC+8

Not affected


Since CVE-2019-0232 only affects when Tomcat is deployed on Microsoft Windows, none of the Synology products are affected as Synology Tomcat7 and Tomcat6 are restricted to execute on DiskStation Manager (DSM).

Affected Products

Product Severity Fixed Release Availability
Tomcat7 Not affected N/A
Tomcat6 Not affected N/A




  • CVE-2019-0232
    • Severity: Not affected
    • CVSS3 Base Score: 0.0
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    • When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog ( and this archived MSDN blog (



Revision Date Description
1 2019-04-17 Initial public release.
2 2019-05-30 Disclosed vulnerability details.