Bug 1494283 (CVE-2017-12617) - CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615
Summary: CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-12617
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1494342 1494343 1497079 1497681 1497682 1498330 1498331 1498342 1498343 1498344 1498345
Blocks: 1493229 1507692 1509003 1537472
TreeView+ depends on / blocked
 
Reported: 2017-09-21 23:13 UTC by Jason Shepherd
Modified: 2021-10-07 10:40 UTC (History)
52 users (show)

Fixed In Version: tomcat 7.0.82, tomcat 8.0.47, tomcat 8.5.23
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:26:03 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3080 0 normal SHIPPED_LIVE Important: tomcat6 security update 2017-10-30 04:15:02 UTC
Red Hat Product Errata RHSA-2017:3081 0 normal SHIPPED_LIVE Important: tomcat security update 2017-10-30 04:26:54 UTC
Red Hat Product Errata RHSA-2017:3113 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server security and bug fix update 2017-11-02 23:15:44 UTC
Red Hat Product Errata RHSA-2017:3114 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server security and bug fix update 2017-11-02 23:04:48 UTC
Red Hat Product Errata RHSA-2018:0268 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.19 security update 2018-02-05 19:05:56 UTC
Red Hat Product Errata RHSA-2018:0269 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.19 security update 2018-02-05 22:11:04 UTC
Red Hat Product Errata RHSA-2018:0270 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.19 security update 2018-02-05 15:44:31 UTC
Red Hat Product Errata RHSA-2018:0271 0 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.4.19 security update 2018-02-05 19:08:06 UTC
Red Hat Product Errata RHSA-2018:0275 0 normal SHIPPED_LIVE Important: jboss-ec2-eap security, bug fix, and enhancement update 2018-02-05 19:24:53 UTC
Red Hat Product Errata RHSA-2018:0465 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 Service Pack 2 security update 2018-03-07 20:09:54 UTC
Red Hat Product Errata RHSA-2018:0466 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 Service Pack 2 security update 2018-03-07 20:21:52 UTC
Red Hat Product Errata RHSA-2018:2939 0 None None None 2018-10-17 19:28:59 UTC

Description Jason Shepherd 2017-09-21 23:13:11 UTC 
When running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. This issue affects Apache Tomcat versions up to and including 7.0.81. The fix for CVE-2017-12615 does not prevent this issue.
Comment 9 Adam Mariš 2017-10-02 12:53:59 UTC 
External References:

https://tomcat.apache.org/security-7.html
https://tomcat.apache.org/security-8.html
Comment 10 Adam Mariš 2017-10-02 12:58:18 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1497681]
Affects: fedora-all [bug 1497682]
Comment 17 Doran Moppert 2017-10-04 05:18:03 UTC 
Mitigation:

Ensure that readonly is set to true (the default) for the DefaultServlet, WebDAV servlet or application context.

Block HTTP methods that permit resource modification for untrusted users.
Comment 18 Doran Moppert 2017-10-04 05:19:08 UTC 
Statement:

This flaw affects Tomcat on Red Hat Enterprise Linux only when a specific context is configured with readonly=false. The default configuration has a readonly context, so it is not affected.
Comment 23 errata-xmlrpc 2017-10-30 00:17:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:3080 https://access.redhat.com/errata/RHSA-2017:3080
Comment 24 errata-xmlrpc 2017-10-30 00:29:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:3081 https://access.redhat.com/errata/RHSA-2017:3081
Comment 25 errata-xmlrpc 2017-11-02 19:08:48 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2017:3114 https://access.redhat.com/errata/RHSA-2017:3114
Comment 26 errata-xmlrpc 2017-11-02 19:17:57 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2017:3113 https://access.redhat.com/errata/RHSA-2017:3113
Comment 27 errata-xmlrpc 2018-02-05 10:27:06 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:0269 https://access.redhat.com/errata/RHSA-2018:0269
Comment 28 errata-xmlrpc 2018-02-05 10:41:04 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2018:0268 https://access.redhat.com/errata/RHSA-2018:0268
Comment 29 errata-xmlrpc 2018-02-05 10:43:58 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2018:0271 https://access.redhat.com/errata/RHSA-2018:0271
Comment 30 errata-xmlrpc 2018-02-05 10:46:50 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:0270 https://access.redhat.com/errata/RHSA-2018:0270
Comment 31 errata-xmlrpc 2018-02-05 14:24:24 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:0275 https://access.redhat.com/errata/RHSA-2018:0275
Comment 34 errata-xmlrpc 2018-03-07 15:10:44 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2018:0465 https://access.redhat.com/errata/RHSA-2018:0465
Comment 35 errata-xmlrpc 2018-03-07 15:24:25 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6
  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2018:0466 https://access.redhat.com/errata/RHSA-2018:0466
Comment 36 errata-xmlrpc 2018-10-17 19:28:33 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R8

Via RHSA-2018:2939 https://access.redhat.com/errata/RHSA-2018:2939
Note You need to log in before you can comment on or make changes to this bug.