Jump to content
Fi8sVrs

Apache Tomcat Patches Important Remote Code Execution Flaw

Recommended Posts

  • Active Members
Posted

apache-tomcat-rce-exploit.png

The Apache Tomcat team has recently patched several security vulnerabilities in Apache Tomcat, one of which could allow an unauthorised attacker to execute malicious code on affected servers remotely.
Apache Tomcat, developed by the Apache Software Foundation (ASF), is an open source web server and servlet system, which uses several Java EE specifications like Java Servlet, JavaServer Pages (JSP), Expression Language, and WebSocket, and provides a "pure Java" HTTP web server environment for Java concept to run in.
Unlike Apache Struts2 vulnerabilities, which have recently been exploited to breach the systems of American credit reporting agency Equifax, Apache Tomcat flaws are less likely to be exploited.

The critical Remote Code Execution (RCE) vulnerability (CVE-2017-12617) discovered in Apache Tomcat is due to insufficient validation of user-supplied input by the affected software.
Only systems with HTTP PUTs enabled (via setting the "read-only" initialization parameter of the Default servlet to "false") are affected.
Quote

"Tomcat versions before 9.0.1 (Beta), 8.5.23, 8.0.47 and 7.0.82 contain a potentially dangerous remote code execution (RCE) vulnerability on all operating systems if the default servlet is configured with the parameter readonly set to false or the WebDAV servlet is enabled with the parameter readonly set to false," says Peter Stöckli of Alphabot Security.

Exploiting this vulnerability requires an attacker to upload a maliciously crafted Java Server Page (JSP) file to a targeted server running an affected version of Apache Tomcat, and the code contained in the JSP file would be executed by the server when the file is requested.

apache-tomcat-remote-code-execution-expl

 

To upload the maliciously crafted JSP, the attacker just needs to send an HTTP PUT request to the vulnerable server, as mentioned in the proof-of-concept (PoC) exploit code published by Peter on the Apache mailing list.

apache-tomcat-rce.png

The exploit would eventually allow the attacker to execute malicious code on the targeted server.

Quote

"Since this feature is typically not wanted, the most publicly exposed system will not have readonly set to false and are thus not affected," Peter explains.

This RCE vulnerability, marked as "important," impacts all Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81, and has been addressed with the release of Tomcat versions 9.0.1 (Beta), 8.5.23, 8.0.47 and 7.0.82.
 

A similar security issue (CVE-2017-12615) discovered in Tomcat 7 on Windows was patched by the Apache Tomcat developers on September 19 with the release of version 7.0.81.

Administrators are strongly recommended to apply the software updates as soon as possible and are advised to allow only trusted users to have network access as well as monitor affected systems.

The researchers have not detected any incident of the exploitation of one of these Apache Tomcat vulnerabilities in the wild.
 
  • Upvote 2

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...