Bug 1493220 (CVE-2017-12615) - CVE-2017-12615 tomcat: Remote Code Execution via JSP Upload
Summary: CVE-2017-12615 tomcat: Remote Code Execution via JSP Upload
Status: NEW
Alias: CVE-2017-12615
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20170919,repo...
Keywords: Reopened, Security
Depends On: 1493779 1493783 1493817 1493818 1498342 1498343 1498344 1498345
Blocks: 1509003 1493229 1507692
TreeView+ depends on / blocked
 
Reported: 2017-09-19 16:04 UTC by Adam Mariš
Modified: 2019-04-05 03:15 UTC (History)
50 users (show)

Fixed In Version: tomcat 7.0.81
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-09-19 16:13:08 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3080 normal SHIPPED_LIVE Important: tomcat6 security update 2017-10-30 04:15:02 UTC
Red Hat Product Errata RHSA-2017:3081 normal SHIPPED_LIVE Important: tomcat security update 2017-10-30 04:26:54 UTC
Red Hat Product Errata RHSA-2017:3113 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server security and bug fix update 2017-11-02 23:15:44 UTC
Red Hat Product Errata RHSA-2017:3114 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server security and bug fix update 2017-11-02 23:04:48 UTC
Red Hat Product Errata RHSA-2018:0465 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 Service Pack 2 security update 2018-03-07 20:09:54 UTC
Red Hat Product Errata RHSA-2018:0466 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 Service Pack 2 security update 2018-03-07 20:21:52 UTC

Description Adam Mariš 2017-09-19 16:04:54 UTC
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Affected versions: 7.0.0 to 7.0.79

External References:

https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81

Comment 10 Doran Moppert 2017-10-04 05:17:36 UTC
Mitigation:

Ensure that readonly is set to true (the default) for the DefaultServlet, WebDAV servlet or application context.

Block HTTP methods that permit resource modification for untrusted users.

Comment 11 Doran Moppert 2017-10-04 05:19:10 UTC
Statement:

This flaw affects Tomcat on Red Hat Enterprise Linux only when a specific context is configured with readonly=false. The default configuration has a readonly context, so it is not affected.

Comment 15 errata-xmlrpc 2017-10-30 00:17:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:3080 https://access.redhat.com/errata/RHSA-2017:3080

Comment 16 errata-xmlrpc 2017-10-30 00:29:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:3081 https://access.redhat.com/errata/RHSA-2017:3081

Comment 17 errata-xmlrpc 2017-11-02 19:08:31 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2017:3114 https://access.redhat.com/errata/RHSA-2017:3114

Comment 18 errata-xmlrpc 2017-11-02 19:17:36 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2017:3113 https://access.redhat.com/errata/RHSA-2017:3113

Comment 19 errata-xmlrpc 2018-03-07 15:09:59 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2018:0465 https://access.redhat.com/errata/RHSA-2018:0465

Comment 20 errata-xmlrpc 2018-03-07 15:23:38 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6
  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2018:0466 https://access.redhat.com/errata/RHSA-2018:0466


Note You need to log in before you can comment on or make changes to this bug.