Bug 1494283 – CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1494283 - (CVE-2017-12617) CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615

Summary:	CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615

Status:	NEW

Aliases:	CVE-2017-12617

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	high Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=important,public=20170921,repo...
Keywords:	Security

Depends On:	1498330 1494342 1494343 1497079 1497681 1497682 1498331 1498342 1498343 1498344 1498345
Blocks:	1509003 1493229 1507692 1537472
	Show dependency tree / graph

Reported:	2017-09-21 19:13 EDT by Jason Shepherd
Modified:	2018-10-19 17:43 EDT (History)
CC List:	54 users (show)

See Also:
Fixed In Version:	tomcat 7.0.82, tomcat 8.0.47, tomcat 8.5.23
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3080	normal	SHIPPED_LIVE	Important: tomcat6 security update	2017-10-30 00:15:02 EDT
Red Hat Product Errata	RHSA-2017:3081	normal	SHIPPED_LIVE	Important: tomcat security update	2017-10-30 00:26:54 EDT
Red Hat Product Errata	RHSA-2017:3113	normal	SHIPPED_LIVE	Important: Red Hat JBoss Web Server security and bug fix update	2017-11-02 19:15:44 EDT
Red Hat Product Errata	RHSA-2017:3114	normal	SHIPPED_LIVE	Important: Red Hat JBoss Web Server security and bug fix update	2017-11-02 19:04:48 EDT
Red Hat Product Errata	RHSA-2018:0268	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 6.4.19 security update	2018-02-05 14:05:56 EST
Red Hat Product Errata	RHSA-2018:0269	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 6.4.19 security update	2018-02-05 17:11:04 EST
Red Hat Product Errata	RHSA-2018:0270	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 6.4.19 security update	2018-02-05 10:44:31 EST
Red Hat Product Errata	RHSA-2018:0271	normal	SHIPPED_LIVE	Important: Red Hat JBoss Enterprise Application Platform 6.4.19 security update	2018-02-05 14:08:06 EST
Red Hat Product Errata	RHSA-2018:0275	normal	SHIPPED_LIVE	Important: jboss-ec2-eap security, bug fix, and enhancement update	2018-02-05 14:24:53 EST
Red Hat Product Errata	RHSA-2018:0465	normal	SHIPPED_LIVE	Important: Red Hat JBoss Web Server 3.1.0 Service Pack 2 security update	2018-03-07 15:09:54 EST
Red Hat Product Errata	RHSA-2018:0466	normal	SHIPPED_LIVE	Important: Red Hat JBoss Web Server 3.1.0 Service Pack 2 security update	2018-03-07 15:21:52 EST
Red Hat Product Errata	RHSA-2018:2939	None	None	None	2018-10-17 15:28 EDT

Groups: None (edit)

Description Jason Shepherd 2017-09-21 19:13:11 EDT

When running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. This issue affects Apache Tomcat versions up to and including 7.0.81. The fix for CVE-2017-12615 does not prevent this issue.

Comment 9 Adam Mariš 2017-10-02 08:53:59 EDT

External References:

https://tomcat.apache.org/security-7.html
https://tomcat.apache.org/security-8.html

Comment 10 Adam Mariš 2017-10-02 08:58:18 EDT

Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1497681]
Affects: fedora-all [bug 1497682]

Comment 17 Doran Moppert 2017-10-04 01:18:03 EDT

Mitigation:

Ensure that readonly is set to true (the default) for the DefaultServlet, WebDAV servlet or application context.

Block HTTP methods that permit resource modification for untrusted users.

Comment 18 Doran Moppert 2017-10-04 01:19:08 EDT

Statement:

This flaw affects Tomcat on Red Hat Enterprise Linux only when a specific context is configured with readonly=false. The default configuration has a readonly context, so it is not affected.

Comment 23 errata-xmlrpc 2017-10-29 20:17:50 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:3080 https://access.redhat.com/errata/RHSA-2017:3080

Comment 24 errata-xmlrpc 2017-10-29 20:29:20 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:3081 https://access.redhat.com/errata/RHSA-2017:3081

Comment 25 errata-xmlrpc 2017-11-02 15:08:48 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2017:3114 https://access.redhat.com/errata/RHSA-2017:3114

Comment 26 errata-xmlrpc 2017-11-02 15:17:57 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2017:3113 https://access.redhat.com/errata/RHSA-2017:3113

Comment 27 errata-xmlrpc 2018-02-05 05:27:06 EST

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:0269 https://access.redhat.com/errata/RHSA-2018:0269

Comment 28 errata-xmlrpc 2018-02-05 05:41:04 EST

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2018:0268 https://access.redhat.com/errata/RHSA-2018:0268

Comment 29 errata-xmlrpc 2018-02-05 05:43:58 EST

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2018:0271 https://access.redhat.com/errata/RHSA-2018:0271

Comment 30 errata-xmlrpc 2018-02-05 05:46:50 EST

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:0270 https://access.redhat.com/errata/RHSA-2018:0270

Comment 31 errata-xmlrpc 2018-02-05 09:24:24 EST

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:0275 https://access.redhat.com/errata/RHSA-2018:0275

Comment 34 errata-xmlrpc 2018-03-07 10:10:44 EST

This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2018:0465 https://access.redhat.com/errata/RHSA-2018:0465

Comment 35 errata-xmlrpc 2018-03-07 10:24:25 EST

This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6
  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2018:0466 https://access.redhat.com/errata/RHSA-2018:0466

Comment 36 errata-xmlrpc 2018-10-17 15:28:33 EDT

This issue has been addressed in the following products:

  Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R8

Via RHSA-2018:2939 https://access.redhat.com/errata/RHSA-2018:2939

Note You need to log in before you can comment on or make changes to this bug.

akurtako
alee
apintea
bmaxwell
ccoleman
cdewolf
chazlett
coolsvap
csutherl
darran.lofthouse
dedgar
deesharm
dimitris
dmcphers
dosoudil
fgavrilo
gzaronik
hhorak
ivan.afonichev
java-sig-commits
jawilson
jclere
jcoleman
jdoyle
jgoulding
jolee
jondruse
jorton
jscalf
jshepherd
krzysztof.daniel
lgao
loleary
mbabacek
mizdebsk
mmiura
myarboro
nwallace
pgier
pjurak
ppalaga
psakar
pslavice
rahranja
rnetuka
rstancel
rsvoboda
spinder
theute
twalsh
vhalbert
vtunka
weli
yozone