CVE-2017-12617

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 7.0.0 through 7.0.81 Apache Tomcat versions 8.0.0.RC1 through 8.0.46 Apache Tomcat versions 8.5.0 through 8.5.22 Apache Tomcat versions 9.0.0.M1 through 9.0.0

Description The issue is related to the lack of restrictions on file uploads in Apache Tomcat, allowing a remote attacker to execute arbitrary code by uploading a specially crafted JSP file via HTTP PUT requests when the readonly initialisation parameter of the Default servlet is set to false. This enables the attacker to upload a JSP file to the server, which can then be requested, executing any code it contains.

Recommendations For Apache Tomcat versions 7.0.0 through 7.0.81, update the configuration to restrict HTTP PUT requests or set the readonly initialisation parameter of the Default servlet to true. For Apache Tomcat versions 8.0.0.RC1 through 8.0.46, update the configuration to restrict HTTP PUT requests or set the readonly initialisation parameter of the Default servlet to true. For Apache Tomcat versions 8.5.0 through 8.5.22, update the configuration to restrict HTTP PUT requests or set the readonly initialisation parameter of the Default servlet to true. For Apache Tomcat versions 9.0.0.M1 through 9.0.0, update the configuration to restrict HTTP PUT requests or set the readonly initialisation parameter of the Default servlet to true. As a temporary workaround, consider disabling the Default servlet until a patch is available. Restrict access to the HTTP PUT requests to minimize the risk of exploitation.