#VU8541 Remote code execution in Apache Tomcat - CVE-2017-12615

Cybersecurity Help s.r.o.

Published: 2017-09-21 | Updated: 2023-02-22

Vulnerability identifier: #VU8541

Vulnerability risk: High

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2017-12615

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Apache Tomcat
Server applications / Web servers

Vendor: Apache Foundation

Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The weakness exists in Apache Tomcat when running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) due to input validation flaw. A remote attacker can send a specially crafted HTTP PUT request to upload an arbitrary JSP file to the target system and request the file to execute arbitrary code with privileges of the current user.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation
Update to version 7.0.81.

Vulnerable software versions

Apache Tomcat: 7.0.0 - 7.0.80

External links
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

Red Hat update for jboss

SUSE Linux update for tomcat

Red Hat update for Red Hat JBoss Web Server

Red Hat update for tomcat

Red Hat update for tomcat6

Multiple vulnerabilities in Apache Tomcat