The Apache Tomcat team published that all versions of Tomcat before 9.0.1 (Beta), 8.5.23, 8.0.47 and 7.0.82 contain a possibly critical remote code execution (RCE) flaw on all operating systems if the default servlet is configured with the parameter read-only set to false or the WebDAV servlet is allowed with the parameter read-only set to false.
To exploit this flaw, an attacker needs to upload a malicious crafted JSP file to a targeted server running an affected version of Apache Tomcat, and the code in the malicious JSP file will be executed by the server when the file is accessed via an HTTP client (e.g. web browser).
According to Peter Stöckli of Alphabot Security:
This configuration would allow any unauthenticated user to upload files (as used in WebDAV). It was discovered that the filter that prevents the uploading of JavaServer Pages (.jsp) can be circumvented. So JSPs can be uploaded, which then can be executed on the server, now since this feature is typically not wanted, most publicly exposed system won’t have readonly set to false and are thus not affected.
Users are recommended to install the software updates ASAP and are recommended to enable only trusted users to have network access as well as monitor affected systems.