⚠ Actively exploited in ransomware campaigns
This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-04-15.

CVE-2017-12615

CWE-434Unrestricted File UploadCWE-20Improper Input Validation21 documents11 sources
Severity
8.1HIGH
EPSS
94.2%
top 0.08%
CISA KEV
KEVRansomware
Added 2022-03-25
Due 2022-04-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
19
Apache TomcatApache Software Foundation Apache TomcatRedhat Enterprise Linux Desktop+16 more
Timeline
PublishedSep 19
KEV addedMar 25
KEV dueApr 15
CISA Required Action: Apply updates per vendor instructions.

Description

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages8 packages

NVDapache/tomcat7.0.07.0.79
CVEListV5apache_software_foundation/apache_tomcat7.0.0 to 7.0.79

Also affects: Enterprise Linux 7.4, 7.5, 7.6, 7.7, 7.0, 7.0_ppc64, 7.4_ppc64, 7.5_ppc64, 7.6_ppc64, 7.7_ppc64, 9.2

Patches

Patch: lists.apache.orgPatch: lists.apache.orgPatch: lists.apache.org

🔴Vulnerability Details

4
OSV
When running Apache Tomcat on Windows with HTTP PUTs enabled it was possible to upload a JSP file to the server2018-10-17
GHSA
When running Apache Tomcat on Windows with HTTP PUTs enabled it was possible to upload a JSP file to the server2018-10-17
CVEList
CVE-2017-12615: When running Apache Tomcat 72017-09-19
VulnCheck
Apache Tomcat on Windows Remote Code Execution Vulnerability2017

💥Exploits & PoCs

2
Exploit-DB
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Bypass / Remote Code Execution (1)2017-09-20
Nuclei
Apache Tomcat Servers - Remote Code Execution

🔍Detection Rules

7
Suricata
ET EXPLOIT Tomcat File Upload Payload Request (CVE-2017-12615)2019-06-26
Suricata
ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt2017-10-05
Suricata
ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt2017-10-05
Suricata
ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt2017-10-05
Suricata
ET WEB_SPECIFIC_APPS Apache Tomcat Possible CVE-2017-12617 JSP Upload Bypass Attempt2017-10-05

📋Vendor Advisories

3
CISA
Apache Tomcat on Windows Remote Code Execution Vulnerability2022-03-25
Red Hat
tomcat: Remote Code Execution bypass for CVE-2017-126152017-09-21
Red Hat
tomcat: Remote Code Execution via JSP Upload2017-09-19

💬Community

4
Bugzilla
CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615 [fedora-all]2017-10-02
Bugzilla
CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615 [epel-6]2017-10-02
Bugzilla
CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-126152017-09-21
Bugzilla
CVE-2017-12615 tomcat: Remote Code Execution via JSP Upload2017-09-19