On September 19, 2017, Apache Tomcat officially published and fixed two high-risk vulnerabilities, CVE-2017-12615 and CVE-2017-12616. The affected versions of Tomcat are from 7.0 to 7.80. Under certain conditions, an attacker can exploit the two vulnerabilities to view the source code of JSP files on the user server or upload a malicious JSP file to the user server by using a specially crafted request. Then, the attacker can access the uploaded JSP file and run arbitrary codes on the user server to obtain data or permissions of the server, which is highly risky. We recommend that you check and fix these vulnerabilities immediately.
See the following for more information about the vulnerability.
Tomcat information leakage and remote code execution vulnerabilities
CVE-2017-12615: Remote code execution vulnerability
When Apache Tomcat runs on Windows with the HTTP PUT method enabled (for example, by setting the “readonly” initialization parameter from the default value to False), an attacker can upload a JSP file to the server by using a specially crafted request. This JSP file can then be requested, and an arbitrary code that it contains can be ran by the server. The attacker can view data or gain server permissions after the execution of the malicious code.
CVE-2017-12616: Information leakage vulnerability
When VirtualDirContext is enabled in Tomcat, an attacker can bypass the security constraints and view the source code of the JSP file for resources served by VirtualDirContext by using a specially crafted request. This results in code leakage.
The preceding two vulnerabilities allow an attacker to run arbitrary codes on the user server to view data or gain server permissions, which is highly risky.
Condition and method of exploitation
CVE-2017-12615 is exploitable only when the “readonly” initialization parameter is changed from the default value to False on a Windows operating system. Tests show that the default settings in the web.xml configuration file in Tomcat 7.x do not contain the “readonly” parameter. An attacker must manually add this parameter before exploiting the vulnerability. That is, this vulnerability does not affect the versions with default configurations.
CVE-2017-12616 is exploitable after the VirtualDirContext parameter is configured in the server.xml file. Tests show that the default settings in Tomcat 7.x do not contain the VirtualDirContext parameter. An attacker must manually add this parameter before exploiting the vulnerability. That is, this vulnerability does not affect the versions with default configurations.
- CVE-2017-12615 affects Apache Tomcat 7.0.0 - 7.0.79
- CVE-2017-12616 affects Apache Tomcat 7.0.0 - 7.0.80
Check whether any affected version of Apache Tomcat is used.
How to fix or mitigate
Workaround: Set “readonly” and “VirtualDirContext” to True or comment out the parameters, disable the PUT method, and restart Tomcat.
Note: Disabling the PUT method may cause the applications that depend on the PUT method to fail to provide services.
The two vulnerabilities are fixed in the official release of 7.0.81. We recommend that you immediately upgrade to the latest version.
Alternatively, you can use Alibaba Cloud Security WAF for defense.