Multiple Vulnerabilities in Apache Tomcat Could Allow for Remote Code Execution

ITS Advisory Number: 
2017-089 - (UPDATED)
Date(s) Issued: 
Wednesday, September 20, 2017
Date Updated: 
Friday, September 22, 2017
Subject: 
Multiple Vulnerabilities in Apache Tomcat Could Allow for Remote Code Execution
Overview: 

Multiple vulnerabilities have been discovered in Apache Tomcat, the most severe of which could allow for remote code execution. Apache Tomcat is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. 

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the affected application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

THREAT INTELLIGENCE:

There are no reports of these vulnerabilities being actively exploited in the wild. 

Systems Affected: 
  • Apache Tomcat 7.0.x versions prior to 7.0.81 

September 22, 2017 - UPDATED SYSTEMS AFFECTED:

  • Apache Tomcat 7.0.x versions prior to 7.0.82
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
Medium
BUSINESS
Large and medium business entities: 
High
Small business entities: 
Medium
Home Users: 
N/A
Description: 

Multiple vulnerabilities have been discovered in Apache Tomcat, the most severe of which could allow for remote code execution. Details of these vulnerabilities are as follows:

  • A remote code execution vulnerability exists when running on Windows with HTTP PUTs enabled. It was possible to upload a JSP file to the server via a specially crafted request. (CVE-2017-12615)

  • An information disclosure vulnerability exists when using a VirtualDirContext it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request. (CVE-2017-12616)

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the application. Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

September 22, 2017 - UPDATED DESCRIPTION:

A remote code execution vulnerability exists when running on Windows with HTTP PUTs enabled. It was possible to upload a JSP file to the server via a specially crafted request. (CVE-2017-12617)

Note: CVE-2017-12617 is the same vulnerability as CVE-2017-12615. The 7.0.82 patch was released as the previous patch did not resolve the remote code execution vulnerability described in CVE-2017-12615.

 

 

 

Actions: 
  • After appropriate testing, immediately upgrade to one of the non-impacted versions of Apache Tomcat (7.0.81).

  • Verify no unauthorized system modifications have occurred on the system before applying the patch.

  • Frequently validate type and content of uploaded data.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

September 22, 2017 - UPDATED ACTIONS: 

  • Upgrade to one of the non-impacted versions of Apache Tomcat (7.0.82) after appropriate testing.