Bug 1493220 – CVE-2017-12615 tomcat: Remote Code Execution via JSP Upload

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1493220 - (CVE-2017-12615) CVE-2017-12615 tomcat: Remote Code Execution via JSP Upload

Summary:	CVE-2017-12615 tomcat: Remote Code Execution via JSP Upload

Status:	NEW

Aliases:	CVE-2017-12615

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20170919,repo...
Keywords:	Reopened, Security

Depends On:	1493779 1493783 1493817 1493818 1498342 1498343 1498344 1498345
Blocks:	1509003 1493229 1507692
	Show dependency tree / graph

Reported:	2017-09-19 12:04 EDT by Adam Mariš
Modified:	2018-10-19 17:43 EDT (History)
CC List:	51 users (show)

See Also:
Fixed In Version:	tomcat 7.0.81
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-09-19 12:13:08 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3080	normal	SHIPPED_LIVE	Important: tomcat6 security update	2017-10-30 00:15:02 EDT
Red Hat Product Errata	RHSA-2017:3081	normal	SHIPPED_LIVE	Important: tomcat security update	2017-10-30 00:26:54 EDT
Red Hat Product Errata	RHSA-2017:3113	normal	SHIPPED_LIVE	Important: Red Hat JBoss Web Server security and bug fix update	2017-11-02 19:15:44 EDT
Red Hat Product Errata	RHSA-2017:3114	normal	SHIPPED_LIVE	Important: Red Hat JBoss Web Server security and bug fix update	2017-11-02 19:04:48 EDT
Red Hat Product Errata	RHSA-2018:0465	normal	SHIPPED_LIVE	Important: Red Hat JBoss Web Server 3.1.0 Service Pack 2 security update	2018-03-07 15:09:54 EST
Red Hat Product Errata	RHSA-2018:0466	normal	SHIPPED_LIVE	Important: Red Hat JBoss Web Server 3.1.0 Service Pack 2 security update	2018-03-07 15:21:52 EST

Groups: None (edit)

Description Adam Mariš 2017-09-19 12:04:54 EDT

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Affected versions: 7.0.0 to 7.0.79

External References:

https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81

Comment 1 Adam Mariš 2017-09-20 03:11:25 EDT

Upstream patches:

https://svn.apache.org/viewvc?view=revision&revision=1804604
https://svn.apache.org/viewvc?view=revision&revision=1804729

Comment 10 Doran Moppert 2017-10-04 01:17:36 EDT

Mitigation:

Ensure that readonly is set to true (the default) for the DefaultServlet, WebDAV servlet or application context.

Block HTTP methods that permit resource modification for untrusted users.

Comment 11 Doran Moppert 2017-10-04 01:19:10 EDT

Statement:

This flaw affects Tomcat on Red Hat Enterprise Linux only when a specific context is configured with readonly=false. The default configuration has a readonly context, so it is not affected.

Comment 15 errata-xmlrpc 2017-10-29 20:17:27 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:3080 https://access.redhat.com/errata/RHSA-2017:3080

Comment 16 errata-xmlrpc 2017-10-29 20:29:02 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:3081 https://access.redhat.com/errata/RHSA-2017:3081

Comment 17 errata-xmlrpc 2017-11-02 15:08:31 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2017:3114 https://access.redhat.com/errata/RHSA-2017:3114

Comment 18 errata-xmlrpc 2017-11-02 15:17:36 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2017:3113 https://access.redhat.com/errata/RHSA-2017:3113

Comment 19 errata-xmlrpc 2018-03-07 10:09:59 EST

This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2018:0465 https://access.redhat.com/errata/RHSA-2018:0465

Comment 20 errata-xmlrpc 2018-03-07 10:23:38 EST

This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6
  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2018:0466 https://access.redhat.com/errata/RHSA-2018:0466

Note You need to log in before you can comment on or make changes to this bug.

akurtako
alee
apintea
bmaxwell
ccoleman
cdewolf
chazlett
coolsvap
csutherl
darran.lofthouse
dedgar
dimitris
dmcphers
dosoudil
fgavrilo
gzaronik
hhorak
ivan.afonichev
java-sig-commits
jawilson
jclere
jcoleman
jdoyle
jgoulding
jolee
jondruse
jorton
jscalf
jshepherd
krzysztof.daniel
lgao
loleary
mbabacek
mizdebsk
myarboro
nwallace
pgier
pjurak
ppalaga
psakar
pslavice
rnetuka
rstancel
rsvoboda
spinder
theute
twalsh
vhalbert
vtunka
weli
yozone