CVE-2017-12617
file upload vulnerability in org.apache.tomcat:tomcat-catalina

What is CVE-2017-12617 About?

This vulnerability in Apache Tomcat allows for unauthorized JSP file uploads when HTTP PUTs are enabled. By crafting a special request, an attacker can upload and execute arbitrary code on the server. The impact is severe, enabling remote code execution, and exploitation is straightforward if PUTs are enabled.

Affected Software

Technical Details

The vulnerability affects Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81, specifically when HTTP PUT methods are enabled, which is typically configured by setting the 'readonly' initialization parameter of the Default servlet to 'false'. An attacker can send a specially crafted HTTP PUT request to upload a JSP file to an arbitrary location on the server. Once the malicious JSP file is uploaded, the attacker can then make a subsequent request to access this JSP file. When the server processes the request for the JSP, any code contained within it, which is controlled by the attacker, will be executed by the server, leading to remote code execution (RCE).

What is the Impact of CVE-2017-12617?

Successful exploitation may allow attackers to gain full control over the compromised server, execute arbitrary code, and potentially compromise data or other systems within the network.

What is the Exploitability of CVE-2017-12617?

Exploitation is of low to moderate complexity. The primary prerequisite is that HTTP PUTs must be explicitly enabled on the Default servlet (i.e., 'readonly' parameter set to 'false'). No specific authentication or high privileges are required, as the vulnerability is in the initial file upload mechanism. The attack is remote, requiring only network access to the Tomcat server. The key risk factor making exploitation highly probable is the misconfiguration of the Default servlet to allow PUT requests. Attackers would send a PUT request with the malicious JSP content and then a GET request to execute it, making it relatively straightforward.

What are the Known Public Exploits?

What are the Available Fixes for CVE-2017-12617?

Available Upgrade Options

• org.apache.tomcat:tomcat-catalina
  • >7.0.0, <7.0.82 → Upgrade to 7.0.82
• org.apache.tomcat:tomcat-catalina
  • >8.0.0-RC1, <8.0.47 → Upgrade to 8.0.47
• org.apache.tomcat:tomcat-catalina
  • >8.5.0, <8.5.23 → Upgrade to 8.5.23
• org.apache.tomcat:tomcat-catalina
  • >9.0.0.M1, <9.0.1 → Upgrade to 9.0.1
• org.apache.tomcat.embed:tomcat-embed-core
  • >7.0.0, <7.0.82 → Upgrade to 7.0.82
• org.apache.tomcat.embed:tomcat-embed-core
  • >8.0.0-RC1, <8.0.47 → Upgrade to 8.0.47
• org.apache.tomcat.embed:tomcat-embed-core
  • >8.5.0, <8.5.23 → Upgrade to 8.5.23
• org.apache.tomcat.embed:tomcat-embed-core
  • >9.0.0.M1, <9.0.1 → Upgrade to 9.0.1

Additional Resources

• https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03812en_us
• https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us
• https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
• https://github.com/apache/tomcat/commit/c177e9668d1278710bdb14c0eb8d2702b3655f5a
• https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
• https://github.com/apache/tomcat/commit/4cf7dab88282c8f3c92f0b961cdb0096e1d63e88
• https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
• https://github.com/apache/tomcat/commit/b7e0435d17aba69f16ae9e8a78ad0f1565b552af
• https://access.redhat.com/errata/RHSA-2018:0465

What are Similar Vulnerabilities to CVE-2017-12617?

Similar Vulnerabilities: CVE-2018-11759 , CVE-2019-0232 , CVE-2020-1938 , CVE-2021-25329 , CVE-2022-25114