On last Tuesday 3rd Oct 2017, the Apache Tomcat development team was publicly disclosed the presence of a remote code execution vulnerability, tracked as CVE-2017-12617, affecting the popular web application server. The Tomcat versions 9.x, 8.5.x, 8.0.x and 7.0.x are affected by the flaw. This Vulnerability has been fixed in the Tomcat versions 9.0.1, 8.5.23, 8.0.47 and 7.0.82.
The vulnerability only affected systems that have enabled the HTTP PUT, it could be exploited by attackers to upload a malicious JSP file in the server. Once the file has been uploaded, the code it contains could be executed by requesting the file.
CVE-2017-12617
When Your Server running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs it was possible to upload a JSP file in the server. This JSP file could then be requested and any code it contained would be executed by the server.
Affected Version:-
- Apache Tomcat 9.0.0.M1 to 9.0.0
- Apache Tomcat 8.5.0 to 8.5.22
- Apache Tomcat 8.0.0.RC1 to 8.0.46
- Apache Tomcat 7.0.0 to 7.0.81
Solution to Avoid Vulnerability in Apache Tomcat:-
- Upgrade to Apache Tomcat 9.0.1 or later
- Upgrade to Apache Tomcat 8.5.23 or later
- Upgrade to Apache Tomcat 8.0.47 or later
- Upgrade to Apache Tomcat 7.0.82 or later
You Must Also Read