External risk intelligence

Apache Tomcat JSP Upload Vulnerability.

CVE advisoryKnown Exploit

CVE-2017-12617

This vulnerability in Apache Tomcat allows attackers to upload and execute malicious code via specially crafted requests. Organizations running affected versions with HTTP PUTs enabled face business risk from potential system compromise and data breaches.

4Halo Surface Signal

Unrestricted File Upload

Apache Tomcat

7.0.0 to before 7.0.828.0 to before 8.0.478.5.0 to before 8.5.239.0.0 to before 9.0.112.0416.0417.1018.049.3.39.3.49.3.59.3.610.0.13.1.03.2.012.1.0.4.07.3.3.0.0 to 7...

External exposure likelihood

Halo Surface Signal score for CVE-2017-12617

Apache Tomcat is widely deployed as an internet-facing application server. This vulnerability allows remote code execution via specially crafted HTTP requests. While it requires HTTP PUTs to be enabled, the server's common role as a primary gateway means these configurations are often exposed. The prevalence of this software in public-facing environments makes this a likely target for remote explo

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

Apache Tomcat is vulnerable when HTTP PUT requests are enabled and the default servlet's `readonly` parameter is set to `false`. This misconfiguration allows an attacker to upload a JavaServer Pages (JSP) file to the server via a crafted request. Once uploaded, the server can be instructed to execute any code contained within that JSP file, potentially leading to unauthorized command execution and data compromise.

  • Vulnerable Apache Tomcat component
  • Allows uploading and executing JSP files
  • Enables unauthorized code executionApache Tomcat is vulnerable when HTTP PUT requests are enabled and the default servlet's `readonly` parameter is set to `false`. This misconfiguration allows an attacker to upload a JavaServer Pages (JSP) file to the server via a crafted request. Once uploaded, the server can be instructed to execute any code contained within that JSP file, potentially leading to unauthorized command execution and data compromise.
  • Vulnerable Apache Tomcat component
  • Allows uploading and executing JSP files
  • Enables unauthorized code execution

Attack Path

How an attacker could exploit the issue

When HTTP PUT requests are enabled on Apache Tomcat, an attacker can upload a JavaServer Pages (JSP) file. This uploaded file can then be executed by the server, potentially leading to unauthorized code execution. The ability to upload and execute code provides attackers with a pathway to compromise systems and impact business operations.

  • Exposed server with PUT enabled
  • Attacker uploads malicious JSP
  • Executed code allows control

Live Threat

Current exploitation, exposure, and threat context

The assessed threat level for this CVE is HIGH. Attackers with moderate technical skill could exploit this vulnerability if specific configurations are present on the target system. The primary risk involves attackers uploading and executing malicious code, leading to system compromise, data theft, or unauthorized access. Given the potential for severe impact and the availability of exploit code, organizations should prioritize addressing this vulnerability.

  • Likely attacker skill level: Moderate
  • Required access or conditions: HTTP PUTs enabled, specific configurations
  • Business risk or urgency: High

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Apache Tomcat allows for the execution of arbitrary code on the server if HTTP PUT requests are enabled. Attackers can upload and then execute a JSP file through a specially crafted request, posing a significant risk to organizational systems and data. The exploitability and high severity underscore the need for immediate action to identify and mitigate potential exposure.

  • Identify affected Tomcat assets.
  • Disable HTTP PUT requests if enabled.
  • Apply vendor updates and verify.
  • Monitor for related activity.

Frequently asked questions

What is Apache Tomcat and what is it used for?

Apache Tomcat is an open-source software product that implements the Java Servlet, JSP, and WebSocket technologies. It is commonly used to run Java web applications, serving dynamic content and enabling web-based services.

How does CVE-2017-12617 allow for code execution?

CVE-2017-12617 is a '<bos>CWE-434: Unrestricted File Upload' vulnerability. It allows an attacker to upload a JavaServer Pages (JSP) file to the Tomcat server. Once uploaded, this malicious JSP file can be executed by the server, leading to arbitrary code execution.

What are the conditions needed to exploit CVE-2017-12617?

Exploitation of this vulnerability requires that HTTP PUT requests are enabled on the Tomcat server. If this functionality is disabled, a specially crafted request to upload a JSP file will not succeed, and the bug will not be triggered.

Who should be concerned about CVE-2017-12617?

Organizations using Apache Tomcat, especially those with internet-facing servers, should be concerned. The Halo Surface Signal indicates this is a 'Likely' exposure due to Tomcat's common role as a public-facing application server, making it a potential target.

What is the first step for managing this vulnerability?

The primary first step is to consult the vendor's guidance and apply any available updates for Apache Tomcat. Ensuring that HTTP PUT requests are disabled if not explicitly needed can also mitigate the risk.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified