Bug 1494283 (CVE-2017-12617)

Summary: CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615
Product: [Other] Security Response Reporter: Jason Shepherd <jshepherd>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: akurtako, alee, bmaxwell, ccoleman, cdewolf, chazlett, coolsvap, csutherl, darran.lofthouse, dedgar, deesharm, dimitris, dmcphers, dosoudil, fgavrilo, gzaronik, hhorak, ivan.afonichev, java-sig-commits, jawilson, jclere, jcoleman, jdoyle, jgoulding, jolee, jondruse, jorton, jscalf, jshepherd, krzysztof.daniel, lgao, loleary, mbabacek, mizdebsk, mmiura, myarboro, nwallace, pgier, pjurak, ppalaga, psakar, pslavice, rnetuka, rstancel, rsvoboda, spinder, theute, twalsh, vhalbert, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 7.0.82, tomcat 8.0.47, tomcat 8.5.23 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:26:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1494342, 1494343, 1497079, 1497681, 1497682, 1498330, 1498331, 1498342, 1498343, 1498344, 1498345    
Bug Blocks: 1493229, 1507692, 1509003, 1537472    

Description Jason Shepherd 2017-09-21 23:13:11 UTC
When running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. This issue affects Apache Tomcat versions up to and including 7.0.81. The fix for CVE-2017-12615 does not prevent this issue.

Comment 9 Adam Mariš 2017-10-02 12:53:59 UTC
External References:

https://tomcat.apache.org/security-7.html
https://tomcat.apache.org/security-8.html

Comment 10 Adam Mariš 2017-10-02 12:58:18 UTC
Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1497681]
Affects: fedora-all [bug 1497682]

Comment 17 Doran Moppert 2017-10-04 05:18:03 UTC
Mitigation:

Ensure that readonly is set to true (the default) for the DefaultServlet, WebDAV servlet or application context.

Block HTTP methods that permit resource modification for untrusted users.

Comment 18 Doran Moppert 2017-10-04 05:19:08 UTC
Statement:

This flaw affects Tomcat on Red Hat Enterprise Linux only when a specific context is configured with readonly=false. The default configuration has a readonly context, so it is not affected.

Comment 23 errata-xmlrpc 2017-10-30 00:17:50 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:3080 https://access.redhat.com/errata/RHSA-2017:3080

Comment 24 errata-xmlrpc 2017-10-30 00:29:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:3081 https://access.redhat.com/errata/RHSA-2017:3081

Comment 25 errata-xmlrpc 2017-11-02 19:08:48 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2017:3114 https://access.redhat.com/errata/RHSA-2017:3114

Comment 26 errata-xmlrpc 2017-11-02 19:17:57 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2017:3113 https://access.redhat.com/errata/RHSA-2017:3113

Comment 27 errata-xmlrpc 2018-02-05 10:27:06 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:0269 https://access.redhat.com/errata/RHSA-2018:0269

Comment 28 errata-xmlrpc 2018-02-05 10:41:04 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2018:0268 https://access.redhat.com/errata/RHSA-2018:0268

Comment 29 errata-xmlrpc 2018-02-05 10:43:58 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2018:0271 https://access.redhat.com/errata/RHSA-2018:0271

Comment 30 errata-xmlrpc 2018-02-05 10:46:50 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:0270 https://access.redhat.com/errata/RHSA-2018:0270

Comment 31 errata-xmlrpc 2018-02-05 14:24:24 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:0275 https://access.redhat.com/errata/RHSA-2018:0275

Comment 34 errata-xmlrpc 2018-03-07 15:10:44 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2018:0465 https://access.redhat.com/errata/RHSA-2018:0465

Comment 35 errata-xmlrpc 2018-03-07 15:24:25 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6
  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2018:0466 https://access.redhat.com/errata/RHSA-2018:0466

Comment 36 errata-xmlrpc 2018-10-17 19:28:33 UTC
This issue has been addressed in the following products:

  Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R8

Via RHSA-2018:2939 https://access.redhat.com/errata/RHSA-2018:2939