When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. Affected versions: 7.0.0 to 7.0.79 External References: https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
Upstream patches: https://svn.apache.org/viewvc?view=revision&revision=1804604 https://svn.apache.org/viewvc?view=revision&revision=1804729
Mitigation: Ensure that readonly is set to true (the default) for the DefaultServlet, WebDAV servlet or application context. Block HTTP methods that permit resource modification for untrusted users.
Statement: This flaw affects Tomcat on Red Hat Enterprise Linux only when a specific context is configured with readonly=false. The default configuration has a readonly context, so it is not affected.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:3080 https://access.redhat.com/errata/RHSA-2017:3080
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:3081 https://access.redhat.com/errata/RHSA-2017:3081
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2017:3114 https://access.redhat.com/errata/RHSA-2017:3114
This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2017:3113 https://access.redhat.com/errata/RHSA-2017:3113
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2018:0465 https://access.redhat.com/errata/RHSA-2018:0465
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 6 Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2018:0466 https://access.redhat.com/errata/RHSA-2018:0466