Vulnerabilities > CVE-2017-12615 - Unrestricted Upload of File with Dangerous Type vulnerability in multiple products

047910
CVSS 8.1 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
apache
netapp
redhat
CWE-434
nessus
exploit available

Summary

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Vulnerable Configurations

Part Description Count
Application
Apache
89
Application
Netapp
3
Application
Redhat
6
OS
Microsoft
1
OS
Redhat
40

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Accessing Functionality Not Properly Constrained by ACLs
    In applications, particularly web applications, access to functionality is mitigated by the authorization framework, whose job it is to map ACLs to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application or can run queries for data that he is otherwise not supposed to.
  • Privilege Abuse
    An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources. If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts. This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level.

Exploit-Db

descriptionApache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution. CVE-2017-12615. Webapps exploit for Win...
fileexploits/windows/webapps/42953.txt
idEDB-ID:42953
last seen2017-10-04
modified2017-09-20
platformwindows
port
published2017-09-20
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/42953/
titleApache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution
typewebapps

Nessus

  • NASL familyWeb Servers
    NASL idTOMCAT_7_0_81.NASL
    descriptionThe version of Apache Tomcat installed on the remote host is 7.0.x prior to 7.0.81. It is, therefore, affected by multiple vulnerabilities : - An unspecified vulnerability when running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialization parameter of the Default to false) makes it possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. (CVE-2017-12615, CVE-2017-12617) - When using a VirtualDirContext it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request. (CVE-2017-12616) Note that Nessus has not attempted to exploit this issue but has instead relied only on the application
    last seen2020-03-18
    modified2017-09-19
    plugin id103329
    published2017-09-19
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103329
    titleApache Tomcat 7.0.x < 7.0.81 Multiple Vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-3113.NASL
    descriptionAn update is now available for Red Hat JBoss Enterprise Web Server 2.1.2 for RHEL 6 and Red Hat JBoss Enterprise Web Server 2.1.2 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. This release provides an update to httpd, OpenSSL and Tomcat 6/7 for Red Hat JBoss Web Server 2.1.2. The updates are documented in the Release Notes document linked to in the References. This release of Red Hat JBoss Web Server 2.1.2 Service Pack 2 serves as a update for Red Hat JBoss Web Server 2, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Users of Red Hat JBoss Web Server 2 should upgrade to these updated packages, which resolve several security issues. Security Fix(es) : * It was discovered that the httpd
    last seen2020-06-01
    modified2020-06-02
    plugin id104456
    published2017-11-08
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104456
    titleRHEL 6 / 7 : Red Hat JBoss Web Server (RHSA-2017:3113) (Optionsbleed)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-3081.NASL
    descriptionAn update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * A vulnerability was discovered in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id104257
    published2017-10-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104257
    titleCentOS 7 : tomcat (CESA-2017:3081)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-F499EE7B12.NASL
    descriptionThis update includes a rebase from 8.0.46 up to 8.0.47 which resolves a single CVE along with various other bugs/features : rhbz#1497682 CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-11-13
    plugin id104506
    published2017-11-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104506
    titleFedora 25 : 1:tomcat (2017-f499ee7b12)
  • NASL familyWeb Servers
    NASL idTOMCAT_6_0_24.NASL
    descriptionThe version of Apache Tomcat installed on the remote host is 6.0.x prior to 6.0.24. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the handling of pipelined requests when
    last seen2020-03-18
    modified2017-11-02
    plugin id104358
    published2017-11-02
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104358
    titleApache Tomcat 6.0.x < 6.0.24 Multiple Vulnerabilities
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3081.NASL
    descriptionFrom Red Hat Security Advisory 2017:3081 : An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * A vulnerability was discovered in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id104248
    published2017-10-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104248
    titleOracle Linux 7 : tomcat (ELSA-2017-3081)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1262.NASL
    descriptionAccording to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A vulnerability was discovered in Tomcat
    last seen2020-05-06
    modified2017-11-01
    plugin id104287
    published2017-11-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104287
    titleEulerOS 2.0 SP2 : tomcat (EulerOS-SA-2017-1262)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2017-3080.NASL
    descriptionAn update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * A vulnerability was discovered in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id119237
    published2018-11-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119237
    titleVirtuozzo 6 : tomcat6 / tomcat6-admin-webapps / etc (VZLSA-2017-3080)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3080.NASL
    descriptionFrom Red Hat Security Advisory 2017:3080 : An update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * A vulnerability was discovered in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id104247
    published2017-10-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104247
    titleOracle Linux 6 : tomcat6 (ELSA-2017-3080)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_22BC5327F33F11E8BE460019DBB15B3F.NASL
    descriptionWhen running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
    last seen2020-06-01
    modified2020-06-02
    plugin id119270
    published2018-11-29
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119270
    titleFreeBSD : payara -- Code execution via crafted PUT requests to JSPs (22bc5327-f33f-11e8-be46-0019dbb15b3f)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20171030_TOMCAT6_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - A vulnerability was discovered in Tomcat
    last seen2020-03-18
    modified2017-10-31
    plugin id104268
    published2017-10-31
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104268
    titleScientific Linux Security Update : tomcat6 on SL6.x (noarch) (20171030)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-3080.NASL
    descriptionAn update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * A vulnerability was discovered in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id104256
    published2017-10-31
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104256
    titleCentOS 6 : tomcat6 (CESA-2017:3080)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1261.NASL
    descriptionAccording to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A vulnerability was discovered in Tomcat
    last seen2020-05-06
    modified2017-11-01
    plugin id104286
    published2017-11-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104286
    titleEulerOS 2.0 SP1 : tomcat (EulerOS-SA-2017-1261)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0117_TOMCAT6.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has tomcat6 packages installed that are affected by multiple vulnerabilities: - It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816) - A vulnerability was discovered in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id127359
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127359
    titleNewStart CGSL MAIN 4.05 : tomcat6 Multiple Vulnerabilities (NS-SA-2019-0117)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-3080.NASL
    descriptionAn update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * A vulnerability was discovered in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id104250
    published2017-10-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104250
    titleRHEL 6 : tomcat6 (RHSA-2017:3080)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-0466.NASL
    descriptionAn update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and Red Hat JBoss Web Server 3.1 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 2 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * apr: Out-of-bounds array deref in apr_time_exp*() functions (CVE-2017-12613) * tomcat: Remote Code Execution via JSP Upload (CVE-2017-12615) * tomcat: Information Disclosure when using VirtualDirContext (CVE-2017-12616) * tomcat: Remote Code Execution bypass for CVE-2017-12615 (CVE-2017-12617) * tomcat-native: Mishandling of client certificates can allow for OCSP check bypass (CVE-2017-15698) * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id107208
    published2018-03-08
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107208
    titleRHEL 6 / 7 : Red Hat JBoss Web Server 3.1.0 Service Pack 2 (RHSA-2018:0466)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20171030_TOMCAT_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - A vulnerability was discovered in Tomcat
    last seen2020-03-18
    modified2017-10-31
    plugin id104269
    published2017-10-31
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104269
    titleScientific Linux Security Update : tomcat on SL7.x (noarch) (20171030)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-3081.NASL
    descriptionAn update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * A vulnerability was discovered in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id104251
    published2017-10-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104251
    titleRHEL 7 : tomcat (RHSA-2017:3081)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-EF7C118DBC.NASL
    descriptionThis update includes a rebase from 8.0.46 up to 8.0.47 which resolves a single CVE along with various other bugs/features : rhbz#1497682 CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-11-13
    plugin id104505
    published2017-11-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104505
    titleFedora 26 : 1:tomcat (2017-ef7c118dbc)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-EBB76FC3C9.NASL
    descriptionThis update includes a rebase from 8.0.46 up to 8.0.47 which resolves a single CVE along with various other bugs/features : rhbz#1497682 CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-01-15
    plugin id105995
    published2018-01-15
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105995
    titleFedora 27 : 1:tomcat (2017-ebb76fc3c9)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/144502/apachetomcat-bypassexec.txt
idPACKETSTORM:144502
last seen2017-10-06
published2017-10-04
reporterxxlegend
sourcehttps://packetstormsecurity.com/files/144502/Apache-Tomcat-JSP-Upload-Bypass-Remote-Code-Execution.html
titleApache Tomcat JSP Upload Bypass / Remote Code Execution

Redhat

advisories
  • rhsa
    idRHSA-2017:3080
  • rhsa
    idRHSA-2017:3081
  • rhsa
    idRHSA-2017:3113
  • rhsa
    idRHSA-2017:3114
  • rhsa
    idRHSA-2018:0465
  • rhsa
    idRHSA-2018:0466
rpms
  • tomcat6-0:6.0.24-111.el6_9
  • tomcat6-admin-webapps-0:6.0.24-111.el6_9
  • tomcat6-docs-webapp-0:6.0.24-111.el6_9
  • tomcat6-el-2.1-api-0:6.0.24-111.el6_9
  • tomcat6-javadoc-0:6.0.24-111.el6_9
  • tomcat6-jsp-2.1-api-0:6.0.24-111.el6_9
  • tomcat6-lib-0:6.0.24-111.el6_9
  • tomcat6-servlet-2.5-api-0:6.0.24-111.el6_9
  • tomcat6-webapps-0:6.0.24-111.el6_9
  • tomcat-0:7.0.76-3.el7_4
  • tomcat-admin-webapps-0:7.0.76-3.el7_4
  • tomcat-docs-webapp-0:7.0.76-3.el7_4
  • tomcat-el-2.2-api-0:7.0.76-3.el7_4
  • tomcat-javadoc-0:7.0.76-3.el7_4
  • tomcat-jsp-2.2-api-0:7.0.76-3.el7_4
  • tomcat-jsvc-0:7.0.76-3.el7_4
  • tomcat-lib-0:7.0.76-3.el7_4
  • tomcat-servlet-3.0-api-0:7.0.76-3.el7_4
  • tomcat-webapps-0:7.0.76-3.el7_4
  • httpd-0:2.2.26-57.ep6.el6
  • httpd-debuginfo-0:2.2.26-57.ep6.el6
  • httpd-devel-0:2.2.26-57.ep6.el6
  • httpd-manual-0:2.2.26-57.ep6.el6
  • httpd-tools-0:2.2.26-57.ep6.el6
  • httpd22-0:2.2.26-58.ep6.el7
  • httpd22-debuginfo-0:2.2.26-58.ep6.el7
  • httpd22-devel-0:2.2.26-58.ep6.el7
  • httpd22-manual-0:2.2.26-58.ep6.el7
  • httpd22-tools-0:2.2.26-58.ep6.el7
  • jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el6
  • jbcs-httpd24-openssl-1:1.0.2h-14.jbcs.el7
  • jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el6
  • jbcs-httpd24-openssl-debuginfo-1:1.0.2h-14.jbcs.el7
  • jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el6
  • jbcs-httpd24-openssl-devel-1:1.0.2h-14.jbcs.el7
  • jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el6
  • jbcs-httpd24-openssl-libs-1:1.0.2h-14.jbcs.el7
  • jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el6
  • jbcs-httpd24-openssl-perl-1:1.0.2h-14.jbcs.el7
  • jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el6
  • jbcs-httpd24-openssl-static-1:1.0.2h-14.jbcs.el7
  • mod_cluster-native-0:1.2.13-9.Final_redhat_2.ep6.el6
  • mod_cluster-native-0:1.2.13-9.Final_redhat_2.ep6.el7
  • mod_cluster-native-debuginfo-0:1.2.13-9.Final_redhat_2.ep6.el6
  • mod_cluster-native-debuginfo-0:1.2.13-9.Final_redhat_2.ep6.el7
  • mod_ldap-0:2.2.26-57.ep6.el6
  • mod_ldap22-0:2.2.26-58.ep6.el7
  • mod_ssl-1:2.2.26-57.ep6.el6
  • mod_ssl22-1:2.2.26-58.ep6.el7
  • tomcat6-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-admin-webapps-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-admin-webapps-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-docs-webapp-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-docs-webapp-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-el-2.1-api-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-el-2.1-api-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-javadoc-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-javadoc-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-jsp-2.1-api-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-jsp-2.1-api-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-lib-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-lib-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-log4j-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-log4j-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-maven-devel-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-maven-devel-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-servlet-2.5-api-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-servlet-2.5-api-0:6.0.41-19_patch_04.ep6.el7
  • tomcat6-webapps-0:6.0.41-19_patch_04.ep6.el6
  • tomcat6-webapps-0:6.0.41-19_patch_04.ep6.el7
  • tomcat7-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-admin-webapps-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-admin-webapps-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-docs-webapp-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-docs-webapp-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-el-2.2-api-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-el-2.2-api-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-javadoc-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-javadoc-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-jsp-2.2-api-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-jsp-2.2-api-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-lib-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-lib-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-log4j-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-log4j-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-maven-devel-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-maven-devel-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-servlet-3.0-api-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-servlet-3.0-api-0:7.0.54-28_patch_05.ep6.el7
  • tomcat7-webapps-0:7.0.54-28_patch_05.ep6.el6
  • tomcat7-webapps-0:7.0.54-28_patch_05.ep6.el7
  • mod_cluster-0:1.3.8-2.Final_redhat_2.1.ep7.el6
  • mod_cluster-0:1.3.8-2.Final_redhat_2.1.ep7.el7
  • mod_cluster-tomcat7-0:1.3.8-2.Final_redhat_2.1.ep7.el6
  • mod_cluster-tomcat7-0:1.3.8-2.Final_redhat_2.1.ep7.el7
  • mod_cluster-tomcat8-0:1.3.8-2.Final_redhat_2.1.ep7.el6
  • mod_cluster-tomcat8-0:1.3.8-2.Final_redhat_2.1.ep7.el7
  • tomcat-native-0:1.2.8-11.redhat_11.ep7.el6
  • tomcat-native-0:1.2.8-11.redhat_11.ep7.el7
  • tomcat-native-debuginfo-0:1.2.8-11.redhat_11.ep7.el6
  • tomcat-native-debuginfo-0:1.2.8-11.redhat_11.ep7.el7
  • tomcat-vault-0:1.1.6-1.Final_redhat_1.1.ep7.el6
  • tomcat-vault-0:1.1.6-1.Final_redhat_1.1.ep7.el7
  • tomcat-vault-tomcat7-0:1.1.6-1.Final_redhat_1.1.ep7.el6
  • tomcat-vault-tomcat7-0:1.1.6-1.Final_redhat_1.1.ep7.el7
  • tomcat-vault-tomcat8-0:1.1.6-1.Final_redhat_1.1.ep7.el6
  • tomcat-vault-tomcat8-0:1.1.6-1.Final_redhat_1.1.ep7.el7
  • tomcat7-0:7.0.70-25.ep7.el6
  • tomcat7-0:7.0.70-25.ep7.el7
  • tomcat7-admin-webapps-0:7.0.70-25.ep7.el6
  • tomcat7-admin-webapps-0:7.0.70-25.ep7.el7
  • tomcat7-docs-webapp-0:7.0.70-25.ep7.el6
  • tomcat7-docs-webapp-0:7.0.70-25.ep7.el7
  • tomcat7-el-2.2-api-0:7.0.70-25.ep7.el6
  • tomcat7-el-2.2-api-0:7.0.70-25.ep7.el7
  • tomcat7-javadoc-0:7.0.70-25.ep7.el6
  • tomcat7-javadoc-0:7.0.70-25.ep7.el7
  • tomcat7-jsp-2.2-api-0:7.0.70-25.ep7.el6
  • tomcat7-jsp-2.2-api-0:7.0.70-25.ep7.el7
  • tomcat7-jsvc-0:7.0.70-25.ep7.el6
  • tomcat7-jsvc-0:7.0.70-25.ep7.el7
  • tomcat7-lib-0:7.0.70-25.ep7.el6
  • tomcat7-lib-0:7.0.70-25.ep7.el7
  • tomcat7-log4j-0:7.0.70-25.ep7.el6
  • tomcat7-log4j-0:7.0.70-25.ep7.el7
  • tomcat7-selinux-0:7.0.70-25.ep7.el6
  • tomcat7-selinux-0:7.0.70-25.ep7.el7
  • tomcat7-servlet-3.0-api-0:7.0.70-25.ep7.el6
  • tomcat7-servlet-3.0-api-0:7.0.70-25.ep7.el7
  • tomcat7-webapps-0:7.0.70-25.ep7.el6
  • tomcat7-webapps-0:7.0.70-25.ep7.el7
  • tomcat8-0:8.0.36-29.ep7.el6
  • tomcat8-0:8.0.36-29.ep7.el7
  • tomcat8-admin-webapps-0:8.0.36-29.ep7.el6
  • tomcat8-admin-webapps-0:8.0.36-29.ep7.el7
  • tomcat8-docs-webapp-0:8.0.36-29.ep7.el6
  • tomcat8-docs-webapp-0:8.0.36-29.ep7.el7
  • tomcat8-el-2.2-api-0:8.0.36-29.ep7.el6
  • tomcat8-el-2.2-api-0:8.0.36-29.ep7.el7
  • tomcat8-javadoc-0:8.0.36-29.ep7.el6
  • tomcat8-javadoc-0:8.0.36-29.ep7.el7
  • tomcat8-jsp-2.3-api-0:8.0.36-29.ep7.el6
  • tomcat8-jsp-2.3-api-0:8.0.36-29.ep7.el7
  • tomcat8-jsvc-0:8.0.36-29.ep7.el6
  • tomcat8-jsvc-0:8.0.36-29.ep7.el7
  • tomcat8-lib-0:8.0.36-29.ep7.el6
  • tomcat8-lib-0:8.0.36-29.ep7.el7
  • tomcat8-log4j-0:8.0.36-29.ep7.el6
  • tomcat8-log4j-0:8.0.36-29.ep7.el7
  • tomcat8-selinux-0:8.0.36-29.ep7.el6
  • tomcat8-selinux-0:8.0.36-29.ep7.el7
  • tomcat8-servlet-3.1-api-0:8.0.36-29.ep7.el6
  • tomcat8-servlet-3.1-api-0:8.0.36-29.ep7.el7
  • tomcat8-webapps-0:8.0.36-29.ep7.el6
  • tomcat8-webapps-0:8.0.36-29.ep7.el7

Seebug

  • bulletinFamilyexploit
    description### Vulnerability tidbits 2017 9 November 19, Apache Tomcat official confirmation and fixes two high-risk vulnerabilities, the vulnerability CVE number:CVE-2017-12615 and CVE-2017-12616,wherein the remote code execution vulnerability, CVE-2017-12615 impact: Apache Tomcat 7.0.0 - 7.0.79(7.0.81 repair incomplete) When Tomcat is running on a Windows host, and enable the HTTP PUT request method, for example, the readonly initialization parameters by default value is set to false, the attacker will be possible through a carefully constructed attack request to the server to upload contain any code of the JSP file. After the JSP file in the code will be server for execution. ### Basic information * Vulnerability name: Tomcat arbitrary file upload vulnerability * Vulnerability ID: CVE-2017-12615 * Vulnerability: upload contains any code file, and the server implementation. * Impact platform: Windows * Affected versions: Apache Tomcat 7.0.0 - 7.0.81 ### The testing process 0x00 to install Tomcat 7.0.79 ![](https://images.seebug.org/1505896519949) #### 0x01 turn on HTTP PUT Modify the Tomcat 7.0/conf/web. the xml file Add the readonly attribute, the messenger readonly=false. ![](https://images.seebug.org/1505896590779) Restart tomcat #### 0x02 arbitrary file upload · pose a Idea: refer to Microsoft on MSDN about the NTFS Streams, a segment data https://msdn. microsoft. com/en-us/library/dn393272. aspx `All files on an NTFS volume consist of at least one stream - the main stream – this is the normal, viewable file in which data is stored. The full name of a stream is of the form below. <filename>:<stream name>:<stream type> The default data stream has no name. That is, the fully qualified name for the default stream for a file called "sample.txt" is "sample.txt::$DATA" since "sample.txt" is the name of the file and "$DATA" is the stream type.` `payload::` `PUT /111. jsp::$DATA HTTP/1.1 Host: 10.1.1.6:8080 User-Agent: JNTASS DNT: 1 Connection: close ...jsp shell...` The write is successful #### 0x03 arbitrary file upload · posture two can attack Tomcat 7.0.81) Ideas: you can upload a jSp file(but not parse), but not to upload jsp. Description tomcat for jsp is to do a certain process. Then consider whether you can make its process to the file name identifying the presence of differences, the preceding process in the test. jsp/ recognition of non-jsp files, and then continue saving the file when the file name does not accept/character, and therefore ignored. payload / `PUT /222. jsp/ HTTP/1.1 Host: 10.1.1.6:8080 User-Agent: JNTASS DNT: 1 Connection: close ...jsp shell...` ![](https://images.seebug.org/1505896605899) The write is successful #### 0x04 chopper connection ![](https://images.seebug.org/1505896614783)
    idSSV:96557
    last seen2017-11-19
    modified2017-09-20
    published2017-09-20
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-96557
    titleTomcat code execution vulnerability(CVE-2017-12615)
  • bulletinFamilyexploit
    description### Several recent Tomcat CVE * CVE-2017-5664 Tomcat Security Constraint Bypass * CVE-2017-12615 remote code execution vulnerability * CVE-2017-12616 information disclosure vulnerability ### Common Is tasteless With JspServlet and DefaultServlet about the system. CVE-2017-12615 this remote code execution are everywhere, and it seems like no one is watching CVE-2017-12616 cause JSP source code leakage problems. Here simply write about it. CVE-2017-12616 ### Requirements Target the use of VirtualDirContext to mount the virtual directory. Mount the virtual catalog of the demand should still have some, so should be larger than the opening and PUT the probability to be larger, but is also tasteless. ### A brief analysis To cause Jsp source code disclosure, definitely need to let the DefaultServlet to handle jsp requests. Tomcat use similar JNDI way to manage Web resources, JSP, static file, Class, etc. By default, resources by FileDirContext to manage. And the use of VirtualDirContext mount the virtual catalog, is by the VirtualDirContext to manage. Through the similar to CVE-2017-12615 use way to access the virtual directory of resources, allowing the request by the DefaultServlet processing, the Tomcat from VirtualDirContext management of resources to obtain access to the jsp files through the doLookup method, directly to the content returned, resulting in source code disclosure. Why only the virtual directory for the existence of this vulnerability? Because of the non-virtual directory default by FileDirContext management. FileDirContext in the presence of a named file check method. `` protected File file(String name) { File file = new File(base, name); if (file. the exists() && file. the canRead()) { if (allowLinking) return file; // Check that this file belongs to our root path String canPath = null; try { canPath = file. getCanonicalPath(); } catch (IOException e) { // Ignore } if (canPath == null) return null; // Check to see if going outside of the web application root if (! canPath. startsWith(absoluteBase)) { return null; } // Case sensitivity check - this is now always done String fileAbsPath = file. getAbsolutePath(); if (fileAbsPath. endsWith(".")) fileAbsPath = fileAbsPath + "/"; String absPath = normalize(fileAbsPath); canPath = normalize(canPath); if ((absoluteBase. length() < absPath. length()) && (absoluteBase. length() < canPath. length())) { absPath = absPath. substring(absoluteBase. length() + 1); if (absPath. equals("")) absPath = "/"; canPath = canPath. substring(absoluteBase. length() + 1); if (canPath. equals("")) canPath = "/"; if (! canPath. equals(absPath)) return null; } } else { return null; } return file; } `` This method can not prevent /a. jsp/ this URL, but DefaultServlet then have a check at the end of the/, leading to / Can't be used. And the new version of the fix mode is also the code for the small-scale reconstruction, the above method of checking the disassembly to called the validate method, and re-wrote VirtualDirContext in a lot of method, call the validate access to the file to be checked. ### Use With CVE-2017-12615 similar, to achieve the view Jsp file source code of the effect.
    idSSV:96562
    last seen2017-11-19
    modified2017-09-21
    published2017-09-21
    reporterRoot
    titleTomcat information disclosure Vulnerability(CVE-2017-12616 )analysis

The Hacker News

idTHN:96A25F981DD18505C101D0FC9DAA7B30
last seen2018-01-27
modified2017-10-05
published2017-10-05
reporterSwati Khandelwal
sourcehttps://thehackernews.com/2017/10/apache-tomcat-rce.html
titleApache Tomcat Patches Important Remote Code Execution Flaw

References