CVE-2017-12617 Code Execution flaw patched in Apache Tomcat

Several security vulnerabilities have been patched in recent weeks in Apache Tomcat, including the CVE-2017-12617 Code Execution vulnerability.

Several security vulnerabilities have been patched in recent weeks in Apache Tomcat. The list of fixed flaws recently addressed also included code execution vulnerabilities.

Apache Tomcat is the most widely used web application server, with over one million downloads per month and over 70% penetration in the enterprise datacenter.

On Tuesday, the Apache Tomcat development team publicly disclosed the presence of a remote code execution vulnerability, tracked as CVE-2017-12617, affecting the popular web application server. The Tomcat versions 9.x, 8.5.x, 8.0.x and 7.0.x are affected by the flaw.

The vulnerability classified as “important” severity, has been fixed in the versions 9.0.1, 8.5.23, 8.0.47 and 7.0.82.

The vulnerability only affected systems that have the HTTP PUT method enabled, it could be exploited by attackers to upload a malicious JSP file to a targeted server using a specially crafted request. Once the file has been uploaded, the code it contains could be executed by requesting the file.

Fortunately, the extent of the flaw is limited by the fact that it could be triggered only on the default servlet configured with the readonly parameter set to false or the WebDAV servlet enabled with the readonly parameter set to false.

“When running with HTTP PUTs enabled (e.g. via setting the read-only initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.” states the security advisory.

“This configuration would allow any unauthenticated user to upload files (as used in WebDAV). It was discovered that the filter that prevents the uploading of JavaServer Pages (.jsp) can be circumvented. So JSPs can be uploaded, which then can be executed on the server.” wrote the security researcher Peter Stöckli.

“Now since this feature is typically not wanted, most publicly exposed system won’t have readonly set to false and are thus not affected.”

The proof-of-concept (PoC) exploit for the CVE-2017-12617 flaw is publicly available.

Stöckli highlighted the similarities between the CVE-2017-12617 flaw and the CVE-2017-12615 vulnerability that was fixed on September 19 with the release of version 7.0.81.

The Apache Tomcat 7 update released in September also addressed the CVE-2017-12616 that could be exploited by attackers to bypass security constraints and view the source code of JSPs via a specially crafted request.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – CVE-2017-12617, Tomcat)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.