Several security vulnerabilities have been patched in recent weeks in Apache Tomcat. The list of fixed flaws recently addressed also included code execution vulnerabilities.
Apache Tomcat is the most widely used web application server, with over one million downloads per month and over 70% penetration in the enterprise datacenter.
On Tuesday, the Apache Tomcat development team publicly disclosed the presence of a remote code execution vulnerability, tracked as CVE-2017-12617, affecting the popular web application server. The Tomcat versions 9.x, 8.5.x, 8.0.x and 7.0.x are affected by the flaw.
The vulnerability classified as “important” severity, has been fixed in the versions 9.0.1, 8.5.23, 8.0.47 and 7.0.82.
The vulnerability only affected systems that have the HTTP PUT method enabled, it could be exploited by attackers to upload a malicious JSP file to a targeted server using a specially crafted request. Once the file has been uploaded, the code it contains could be executed by requesting the file.
Fortunately, the extent of the flaw is limited by the fact that it could be triggered only on the default servlet configured with the readonly parameter set to false or the WebDAV servlet enabled with the readonly parameter set to false.
“When running with HTTP PUTs enabled (e.g. via setting the read-only initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.” states the security advisory.
“This configuration would allow any unauthenticated user to upload files (as used in WebDAV). It was discovered that the filter that prevents the uploading of JavaServer Pages (.jsp) can be circumvented. So JSPs can be uploaded, which then can be executed on the server.” wrote the security researcher Peter Stöckli.
“Now since this feature is typically not wanted, most publicly exposed system won’t have readonly set to false and are thus not affected.”
The proof-of-concept (PoC) exploit for the CVE-2017-12617 flaw is publicly available.
Stöckli highlighted the similarities between the CVE-2017-12617 flaw and the CVE-2017-12615 vulnerability that was fixed on September 19 with the release of version 7.0.81.
The Apache Tomcat 7 update released in September also addressed the CVE-2017-12616 that could be exploited by attackers to bypass security constraints and view the source code of JSPs via a specially crafted request.
(Security Affairs – CVE-2017-12617, Tomcat)