CVE-2017-5664

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 9.0.0.M1 through 9.0.0.M20 Apache Tomcat versions 8.5.0 through 8.5.14 Apache Tomcat versions 8.0.0.RC1 through 8.0.43 Apache Tomcat versions 7.0.0 through 7.0.77

Description The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page with the original HTTP method. If the error page is a static file, expected behavior is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat did not do this, which could lead to unexpected and undesirable results for static error pages, including the replacement or removal of the custom error page if the DefaultServlet is configured to permit writes. JSPs and custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.

Recommendations For Apache Tomcat versions 9.0.0.M1 through 9.0.0.M20, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 8.5.0 through 8.5.14, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 8.0.0.RC1 through 8.0.43, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 7.0.0 through 7.0.77, update to a version outside of this range to resolve the issue. As a temporary workaround, consider configuring error pages to handle any error dispatch as a GET request, regardless of the actual method, to minimize the risk of exploitation.