SECURITYWEEK NETWORK:

Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Code Execution Flaws Patched in Apache Tomcat

Several vulnerabilities, including ones that allow remote attackers to execute arbitrary code, have been patched in recent weeks in Apache Tomcat.

Several vulnerabilities, including ones that allow remote attackers to execute arbitrary code, have been patched in recent weeks in Apache Tomcat.

Developed by The Apache Software Foundation, Apache Tomcat is an open source implementation of the Java Servlet, JavaServer Pages (JSP), Java WebSocket and Java Expression Language technologies. Tomcat is said to be the most widely used web application server, with a presence in more than 70% of enterprise data centers.

Apache Tomcat developers informed users on Tuesday that the product is affected by a remote code execution vulnerability.Apache Tomcat vulnerabilities

The flaw, tracked as CVE-2017-12617 and classified as “important” severity, has been addressed with the release of versions 9.0.1, 8.5.23, 8.0.47 and 7.0.82. All previous 9.x, 8.5.x, 8.0.x and 7.0.x versions are impacted.

The vulnerability affects systems that have the HTTP PUT method enabled and it allows attackers to upload a malicious JSP file to a targeted server using a specially crafted request. The server would then execute the code in the JSP file when the file was requested. A proof-of-concept (PoC) exploit is publicly available.

While this sounds like a serious vulnerability, in only affects systems that have the default servlet configured with the readonly parameter set to false or the WebDAV servlet enabled with the readonly  parameter set to false.

“Since this feature is typically not wanted, most publicly exposed system won’t have readonly set to false and are thus not affected,” explained Peter Stöckli of Alphabot Security.

This vulnerability is very similar to CVE-2017-12615, which Apache Tomcat developers patched on September 19 with the release of version 7.0.81. CVE-2017-12617 has been described by one individual as a “bypass for CVE-2017-12615.”

The Apache Tomcat 7 update released in September also patched CVE-2017-12616, a flaw that allows an attacker to bypass security constraints and view the source code of JSPs via a specially crafted request.

Apache Tomcat vulnerabilities are less likely to be exploited in the wild, compared to Apache Struts 2 flaws, which have been used in many attacks, including to breach the systems of U.S. credit reporting agency Equifax.

There was a worm targeting Apache Tomcat servers a few years ago, but it did not leverage any vulnerabilities; it used common username and password combinations to gain access.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

More from

Latest News

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

VMWare Exploited in Ransomware Attacks VMWare Exploited in Ransomware Attacks

Cloud Security

VMware Plugs Critical Code Execution Flaws

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

January 24, 2023
Critical Vulnerability Impacts Over 120 Lexmark Printers

IoT Security

Critical Vulnerability Impacts Over 120 Lexmark Printers

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

January 27, 2023
Apple patches exploited vulnerability in old iPhones Apple patches exploited vulnerability in old iPhones

Mobile & Wireless

Apple Patches WebKit Code Execution in iPhones, MacBooks

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

January 23, 2023
Drupal Patches Vulnerabilities Leading to Information Disclosure

Application Security

Drupal Patches Vulnerabilities Leading to Information Disclosure

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

January 20, 2023
Microsoft Urges Customers to Patch Exchange Servers

Email Security

Microsoft Urges Customers to Patch Exchange Servers

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

January 27, 2023
Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones

Mobile & Wireless

Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

January 24, 2023
Full Disclosure List Gets a Fresh Start – Reborn Under New Operator

Vulnerabilities

Full Disclosure List Gets a Fresh Start – Reborn Under New Operator

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

March 26, 2014
CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services

Application Security

CSRF Vulnerability in Kudu SCM Allowed Code Execution in Azure Services

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

January 19, 2023