CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in Apache Tomcat Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2017-086

DATE(S) ISSUED:

09/19/2017

OVERVIEW:

Multiple vulnerabilities have been discovered in Apache Tomcat, the most severe of which could allow for remote code execution. Apache Tomcat is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • Apache Tomcat 7.0.x versions prior to 7.0.82
  • Apache Tomcat 8.0.x versions prior to 8.0.47
  • Apache Tomcat 9.0.x versions prior to 9.0.1
  • Apache Tomcat 8.5.x versions prior to 8.5.23

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: MEDIUM
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: MEDIUM
Home Users:
N/A

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Apache Tomcat, the most severe of which could allow for remote code execution. Details of these vulnerabilities are as follows:

  • A remote code execution vulnerability exists when running on Windows with HTTP PUTs enabled. It was possible to upload a JSP file to the server via a specially crafted request. (CVE-2017-12615)
  • An information disclosure vulnerability exists when using a VirtualDirContext it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request. (CVE-2017-12616)

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

September 22 - UPDATED TECHNICAL SUMMARY:
A remote code execution vulnerability exists when running on Windows with HTTP PUTs enabled. It was possible to upload a JSP file to the server via a specially crafted request. (CVE-2017-12617)

Note: CVE-2017-12617 is the same vulnerability as CVE-2017-12615. The 7.0.82 patch was released as the previous patch did not resolve the remote code execution vulnerability described in CVE-2017-12615.

RECOMENDATIONS:

We recommend the following actions be taken:

  • Upgrade to one of the non-impacted versions of Apache Tomcat (7.0.81) after appropriate testing.
  • Verify no unauthorized system modifications have occurred on the system before applying the patch.
  • Frequently validate type and content of uploaded data.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
    September 22 - UPDATED RECOMMENDATIONS:
  • Upgrade to one of the non-impacted versions of Apache Tomcat (7.0.82) after appropriate testing.
    October 4 - UPDATED RECOMMENDATIONS
  • Upgrade to one of the non-impacted versions of Apache Tomcat (8.0.47, 8.5.23, 9.0.1) after appropriate testing.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Control That Helps Avoid This Issue Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation CIS Benchmark and Other Tools for Related Technology Arrow Apache Tomcat