Vulnerabilities in Apache Tomcat, which is deemed as the world's most widely used web application server used in over 70 percent of enterprise data centers, were uncovered and patched the past few weeks. Among these are two remote code execution (RCE) vulnerabilities that allow remote attackers to execute arbitrary code, and one that can be exploited to bypass security constraints and view sensitive information.
Apache Tomcat developers addressed the discovery of the most recent bug on October 3. According to the developers, the vulnerability designated as CVE-2017-12617 affects systems that have the HTTP PUT method enabled, which can be done by setting the readonly initialization parameter of the Default servlet to false. CVE-2017-12617 allows attackers to upload a malicious JSP file to a targeted server using a specially crafted request. Subsequently, the server would execute the code in the JSP file when the file is requested. According to a security expert, an attacker would not be able to upload a malicious file if the readonly initialization parameter is set to true.
Here’s the list of affected versions and the links to their respective fixes:
To mitigate the risk of exploitation, users of the product were advised to upgrade to later versions where the vulnerability is fixed.
Addressed on September 19 before the emergence of CVE-2017-12617, CVE-2017-12615 is similar to the former, which existence it owes to the incomplete fix for the latter. This vulnerability was found in Apache Tomcat versions 7.0.0 to 7.0.79, and users were told to upgrade to version 7.0.81 or later.
The other vulnerability, CVE-2017-12616, is an issue that stems from the use or misuse of the VirtualDirContextfeature, which should not be utilized in production environments, but only to ease development with IDEs without needing to fully republish jars in WEB-INF/lib. The vulnerability can bypass security constraints or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.
Solutions and Mitigations
Attackers generally require access to a vulnerable machine to deploy attacks remotely. Aside from timely application of patches, users can prevent threats that may exploit Apache Tomcat vulnerabilities by reviewing access to critical systems and ensuring policies and perimeter security is up-to-date.Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects servers and endpoints from threats that may abuse vulnerabilities. OfficeScan’s Vulnerability Protection shields endpoints from identified and unknown vulnerability exploits even before patches are deployed. Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats that may exploit vulnerabilities even without any engine or pattern update.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.