External risk intelligence

Apache Tomcat File Upload and Execution Vulnerability.

CVE advisoryKnown Exploit

CVE-2017-12615

A vulnerability in Apache Tomcat on Windows, when configured with HTTP PUTs enabled, allows for the upload and execution of malicious code. This impacts organizations by enabling attackers to gain control of affected systems, posing a significant business risk.

4Halo Surface Signal

Unrestricted File Upload

Apache Tomcat

7.0.0 to 7.0.797.47.67.72.0.03.0.06.07.07.57.0_s390x7.4_s390x7.5_s390x7.6_s390x7.7_s390x7.0_ppc647.4_ppc647.5_ppc647.6_ppc647.7_ppc647.0_ppc64le7.4_ppc64le;...

External exposure likelihood

Halo Surface Signal score for CVE-2017-12615

This vulnerability affects Apache Tomcat, a widely deployed web server and application server platform. When configured to support HTTP PUT requests, it functions as an internet-facing web service capable of handling file uploads, which is a common deployment pattern for web applications, APIs, and edge services that are reachable from the public internet.

Horizon Alert

Summary of the vulnerability and why it matters

Apache Tomcat, when running on Windows with HTTP PUTs enabled, has a vulnerability that allows for the upload of malicious JavaServer Pages (JSP) files. These uploaded files can then be executed by the server, potentially leading to unauthorized actions. The impact of this vulnerability can include the compromise of sensitive data, disruption of services, and unauthorized access to organizational systems.

Vulnerable component: Apache Tomcat on Windows.
Core weakness: Allows JSP file uploads via crafted requests.
Main business impact: Data compromise and service disruption.

Attack Path

How an attacker could exploit the issue

The attack allows an attacker to upload a JavaServer Pages (JSP) file to a vulnerable Apache Tomcat server. This JSP file can then be accessed, leading to the execution of malicious code. This can result in unauthorized control over the affected system.

Exposed server with HTTP PUT enabled.
Attacker uploads a JSP file.
JSP execution leads to code control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a significant risk due to its potential for remote code execution on affected systems. Attackers can exploit this by uploading malicious JavaServer Pages (JSP) files, which are then executed by the server. This could lead to a complete compromise of the affected system, allowing attackers to steal sensitive data, disrupt operations, or use the system for further malicious activities. The documented exploitability and the potential for full system compromise indicate a high level of business risk.

Low attacker skill level required.
Requires specific server configuration.
High business risk; treat as urgent.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The organization should take immediate action to address a critical vulnerability in Apache Tomcat, which may allow attackers to execute arbitrary code on affected systems. This vulnerability arises when specific configurations, such as enabling HTTP PUT requests, are active on Windows servers. Prompt remediation is essential to mitigate the risk of unauthorized code execution and potential system compromise.

Identify all exposed Apache Tomcat assets.
Disable HTTP PUTs or isolate affected systems.
Apply vendor patches and validate the fix.
Monitor for related suspicious activity.

Frequently asked questions

What is Apache Tomcat and what is it used for?

Apache Tomcat is an open-source software implementation of the Java Servlet, JavaServer Pages, Java Expression Language, and WebSocket technologies. It is commonly used to run Java-based web applications and services, acting as a web server or a standalone application server.

What type of vulnerability is CVE-2017-12615?

CVE-2017-12615 is an instance of a "File upload vulnerability" (CWE-434). It allows an attacker to upload a JavaServer Pages (JSP) file to the server, which can then be executed to run arbitrary code.

What are the conditions needed to exploit CVE-2017-12615?

This vulnerability can be exploited if Apache Tomcat is running on Windows and has HTTP PUT requests enabled. If these conditions are met, a specially crafted request can be used to upload a malicious JSP file. The vulnerability is not triggered if HTTP PUTs are disabled.

How relevant is CVE-2017-12615 to my organization?

This vulnerability is considered likely to be relevant because Apache Tomcat is a widely used web server, and when configured to allow file uploads, it can be an internet-facing service. This makes it a potential target for attackers.

What is the first step to address CVE-2017-12615?

The initial step for organizations running affected versions of Apache Tomcat is to apply updates provided by the vendor. Disabling HTTP PUT requests, if not necessary for application functionality, is also a crucial mitigation.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.