Code execution vulnerability (CVE-2017-12617) has been patched in Apache Tomcat

Share if you likedShare on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn3

The Apache Tomcat team published that all versions of Tomcat before 9.0.1 (Beta), 8.5.23, 8.0.47 and 7.0.82 contain a possibly critical remote code execution (RCE) flaw on all operating systems if the default servlet is configured with the parameter read-only set to false or the WebDAV servlet is allowed with the parameter read-only set to false.

To exploit this flaw, an attacker needs to upload a malicious crafted JSP file to a targeted server running an affected version of Apache Tomcat, and the code in the malicious JSP file will be executed by the server when the file is accessed via an HTTP client (e.g. web browser).

According to Peter Stöckli of Alphabot Security:
This configuration would allow any unauthenticated user to upload files (as used in WebDAV). It was discovered that the filter that prevents the uploading of JavaServer Pages (.jsp) can be circumvented. So JSPs can be uploaded, which then can be executed on the server, now since this feature is typically not wanted, most publicly exposed system won’t have readonly set to false and are thus not affected.

Users are recommended to install the software updates ASAP and are recommended to enable only trusted users to have network access as well as monitor affected systems.

Share if you likedShare on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn3
The following two tabs change content below.

Eslam Medhat

is a professional pen-tester with over 9 years of IT experience bringing a strong background in programming languages and application security, ranging from network and system administration to exploit research and development. He reported various vulnerabilities for high profile companies and vendors and was successfully acknowledged by them.

Latest posts by Eslam Medhat (see all)

Eslam Medhat

is a professional pen-tester with over 9 years of IT experience bringing a strong background in programming languages and application security, ranging from network and system administration to exploit research and development. He reported various vulnerabilities for high profile companies and vendors and was successfully acknowledged by them.

Leave a Reply