Apache Tomcat Patches Important Remote Code Execution Flaw

The Apache Tomcat team has recently patched several security vulnerabilities in Apache Tomcat, one of which could allow an unauthorised attacker to execute malicious code on affected servers remotely.

Apache Tomcat, developed by the Apache Software Foundation (ASF), is an open source web server and servlet system, which uses several Java EE specifications like Java Servlet, JavaServer Pages (JSP), Expression Language, and WebSocket, and provides a “pure Java” HTTP web server environment for Java concept to run in.

Unlike Apache Struts2 vulnerabilities, which have recently been exploited to breach the systems of American credit reporting agency Equifax, Apache Tomcat flaws are less likely to be exploited.

The critical Remote Code Execution (RCE) vulnerability (CVE-2017-12617) discovered in Apache Tomcat is due to insufficient validation of user-supplied input by the affected software.

Only systems with HTTP PUTs enabled (via setting the “read-only” initialization parameter of the Default servlet to “false”) are affected.

“Tomcat versions before 9.0.1 (Beta), 8.5.23, 8.0.47 and 7.0.82 contain a potentially dangerous remote code execution (RCE) vulnerability on all operating systems if the default servlet is configured with the parameter readonly set to false or the WebDAV servlet is enabled with the parameter readonly set to false,” says Peter Stöckli of Alphabot Security.

Exploiting this vulnerability requires an attacker to upload a maliciously crafted Java Server Page (JSP) file to a targeted server running an affected version of Apache Tomcat, and the code contained in the JSP file would be executed by the server when the file is requested.

Read more…

Source: The Hacker News