Fedora Account System
Red Hat Associate
Red Hat Customer
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. Affected versions: 7.0.0 to 7.0.79 External References: https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
Upstream patches: https://svn.apache.org/viewvc?view=revision&revision=1804604 https://svn.apache.org/viewvc?view=revision&revision=1804729
Mitigation: Ensure that readonly is set to true (the default) for the DefaultServlet, WebDAV servlet or application context. Block HTTP methods that permit resource modification for untrusted users.
Statement: This flaw affects Tomcat on Red Hat Enterprise Linux only when a specific context is configured with readonly=false. The default configuration has a readonly context, so it is not affected.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:3080 https://access.redhat.com/errata/RHSA-2017:3080
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:3081 https://access.redhat.com/errata/RHSA-2017:3081
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2017:3114 https://access.redhat.com/errata/RHSA-2017:3114
This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2017:3113 https://access.redhat.com/errata/RHSA-2017:3113
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2018:0465 https://access.redhat.com/errata/RHSA-2018:0465
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 6 Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2018:0466 https://access.redhat.com/errata/RHSA-2018:0466