Vulnerability CVE-2017-12617


Published: 2017-10-03   Modified: 2017-10-04

Description:
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

See advisories in our WLB2 database:
Topic
Author
Date
High
Apache Tomcat Upload Bypass / Remote Code Execution
intx0x80
11.10.2017
High
Tomcat JSP Upload Bypass Remote Code Execution
peewpw
12.10.2017
Med.
Tomcat Remote Code Execution via JSP Upload Bypass
peewpw
19.10.2017

Type:

CWE-434

(Unrestricted Upload of File with Dangerous Type)

Vendor: Apache
Product: Tomcat 
Version:
9.0.0
8.5.9
8.5.8
8.5.7
8.5.6
8.5.5
8.5.4
8.5.3
8.5.22
8.5.21
8.5.20
8.5.2
8.5.19
8.5.18
8.5.17
8.5.16
8.5.15
8.5.14
8.5.13
8.5.12
8.5.11
8.5.10
8.5.1
8.5.0
8.0.9
8.0.7
8.0.6
8.0.46
8.0.45
8.0.44
8.0.43
8.0.42
8.0.41
8.0.40
8.0.4
8.0.39
8.0.38
8.0.37
8.0.36
8.0.35
8.0.34
8.0.33
8.0.32
8.0.31
8.0.30
8.0.29
8.0.28
8.0.27
8.0.26
8.0.25
8.0.24
8.0.23
8.0.22
8.0.21
8.0.20
8.0.2
8.0.19
8.0.18
8.0.17
8.0.16
8.0.15
8.0.14
8.0.13
8.0.12
8.0.11
8.0.10
8.0.1
8.0.0
7.0.9
7.0.81
7.0.80
7.0.8
7.0.79
7.0.77
7.0.76
7.0.75
7.0.74
7.0.73
7.0.72
7.0.71
7.0.70
7.0.7
7.0.69
7.0.68
7.0.67
7.0.66
7.0.65
7.0.64
7.0.63
7.0.62
7.0.61
7.0.60
7.0.6
7.0.59
7.0.58
7.0.57
7.0.56
7.0.55
7.0.54
7.0.51
See more versions on NVD

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
6.8/10
6.4/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

 References:
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://www.securityfocus.com/bid/100954
http://www.securitytracker.com/id/1039552
https://access.redhat.com/errata/RHSA-2017:3080
https://access.redhat.com/errata/RHSA-2017:3081
https://access.redhat.com/errata/RHSA-2017:3113
https://access.redhat.com/errata/RHSA-2017:3114
https://access.redhat.com/errata/RHSA-2018:0268
https://access.redhat.com/errata/RHSA-2018:0269
https://access.redhat.com/errata/RHSA-2018:0270
https://access.redhat.com/errata/RHSA-2018:0271
https://access.redhat.com/errata/RHSA-2018:0275
https://access.redhat.com/errata/RHSA-2018:0465
https://access.redhat.com/errata/RHSA-2018:0466
https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb@%3Cannounce.tomcat.apache.org%3E
https://lists.debian.org/debian-lts-announce/2017/11/msg00009.html
https://security.netapp.com/advisory/ntap-20171018-0002/
https://security.netapp.com/advisory/ntap-20180117-0002/
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03812en_us
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us
https://usn.ubuntu.com/3665-1/
https://www.exploit-db.com/exploits/42966/
https://www.exploit-db.com/exploits/43008/

Related CVE
CVE-2017-15695
When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with a security manager, a user with DATA:WRITE privileges is allowed to deploy code by invoking an internal Geode function. This allows remote code execution. Code deployment should b...
CVE-2018-8008
Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose an arbitrary file write vulnerability, that can be achieved using a specially crafted zip archive (affects other archives as well, bzip2, tar, xz, war, cp...
CVE-2018-1332
Apache Storm version 1.0.6 and earlier, 1.2.1 and earlier, and version 1.1.2 and earlier expose a vulnerability that could allow a user to impersonate another user when communicating with some Storm Daemons.
CVE-2018-8013
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before ...
CVE-2018-1310
Apache NiFi JMS Deserialization issue because of ActiveMQ client vulnerability. Malicious JMS content could cause denial of service. See ActiveMQ CVE-2015-5254 announcement for more information. The fix to upgrade the activemq-client library to 5.15....
CVE-2018-1309
Apache NiFi External XML Entity issue in SplitXML processor. Malicious XML content could cause information disclosure or remote code execution. The fix to disable external general entity parsing and disallow doctype declarations was applied on the Ap...
CVE-2018-8012
No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit cha...
CVE-2018-8010
This vulnerability in Apache Solr 6.0.0 to 6.6.3, 7.0.0 to 7.3.0 relates to an XML external entity expansion (XXE) in Solr config files (solrconfig.xml, schema.xml, managed-schema). In addition, Xinclude functionality provided in these config files i...

Copyright 2018, cxsecurity.com

 

Back to Top