6.8
MEDIUM

CVE-2017-12617

Published: 04/10/2017 Updated: 18/10/2018
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2

Vulnerability Summary

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Oracle has released the Critical Patch Update for January 2018. The update contains 237 new security fixes that address vulnerabilities in multiple Oracle product families. The update addresses vulnerabilities that could allow an attacker to access sensitive information, gain elevated privileges, execute arbitrary code, or cause a denial of service (DoS) condition on a targeted system.

This update also includes security fixes for the Spectre, Meltdown, and Intel processor vulnerabilities.

Administrators are advised to apply the appropriate software updates.

Administrators are advised to allow only trusted users to have network access.

Administrators are advised to monitor affected systems.

Oracle has released a security advisory, which includes a list of affected products and product versions, at the following link: Oracle Critical Patch Update Advisory - January 2018

Oracle has released patches at the following link: Oracle Downloads

CentOS packages can be updated using the up2date or yum command.

FreeBSD has released a VuXML document at the following link: MySQL -- multiple vulnerabilities


FreeBSD has released ports collection updates at the following link: Ports Collection Index


Red Hat has released official CVE statements and multiple security advisories for multiple bugs at the following links: RHSA-2018:0095, RHSA-2018-0099, RHSA-2018-0100, RHSA-2018-0115, RHSA-2018-0349, and RHSA-2018-0351, and RHSA-2018-0458



Red Hat has released updated software for registered subscribers at the following link: Red Hat Network. Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Access Complexity: MEDIUM
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheTomcat7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 7.0.14, 7.0.15, 7.0.16, 7.0.17, 7.0.18, 7.0.19, 7.0.20, 7.0.21, 7.0.22, 7.0.23, 7.0.24, 7.0.25, 7.0.26, 7.0.27, 7.0.28, 7.0.29, 7.0.30, 7.0.31, 7.0.32, 7.0.33, 7.0.34, 7.0.35, 7.0.36, 7.0.37, 7.0.38, 7.0.39, 7.0.40, 7.0.41, 7.0.42, 7.0.43, 7.0.44, 7.0.45, 7.0.46, 7.0.47, 7.0.48, 7.0.49, 7.0.50, 7.0.51, 7.0.54, 7.0.55, 7.0.56, 7.0.57, 7.0.58, 7.0.59, 7.0.60, 7.0.61, 7.0.62, 7.0.63, 7.0.64, 7.0.65, 7.0.66, 7.0.67, 7.0.68, 7.0.69, 7.0.70, 7.0.71, 7.0.72, 7.0.73, 7.0.74, 7.0.75, 7.0.76, 7.0.77, 7.0.79, 7.0.80, 7.0.81, 8.0.0, 8.0.1, 8.0.2, 8.0.4, 8.0.6, 8.0.7, 8.0.9, 8.0.10, 8.0.11, 8.0.12, 8.0.13, 8.0.14, 8.0.15, 8.0.16, 8.0.17, 8.0.18, 8.0.19, 8.0.20, 8.0.21, 8.0.22, 8.0.23, 8.0.24, 8.0.25, 8.0.26, 8.0.27, 8.0.28, 8.0.29, 8.0.30, 8.0.31, 8.0.32, 8.0.33, 8.0.34, 8.0.35, 8.0.36, 8.0.37, 8.0.38, 8.0.39, 8.0.40, 8.0.41, 8.0.42, 8.0.43, 8.0.44, 8.0.45, 8.0.46, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 8.5.16, 8.5.17, 8.5.18, 8.5.19, 8.5.20, 8.5.21, 8.5.22, 9.0.0

Mitigation

Administrators are advised to apply the appropriate updates.

Administrators are advised to allow only trusted users to have network access.

Administrators are advised to monitor affected systems.

Exploitation

To exploit this vulnerability, the attacker must upload a crafted JSP file to a targeted system, making exploitation difficult in environments that restrict network access from untrusted sources.

EDB Exploits

Mailing Lists

Metasploit Modules

Tomcat RCE via JSP Upload Bypass

This module uploads a jsp payload and executes it.

msf > use exploit/multi/http/tomcat_jsp_upload_bypass
      msf exploit(tomcat_jsp_upload_bypass) > show targets
            ...targets...
      msf exploit(tomcat_jsp_upload_bypass) > set TARGET <target-id>
      msf exploit(tomcat_jsp_upload_bypass) > show options
            ...show and set options...
      msf exploit(tomcat_jsp_upload_bypass) > exploit

Github Repositories

CVE-2017-12617 CVE-2017-12617 critical Remote Code Execution (RCE) vulnerability discovered in Apache Tomcat affect systems with HTTP PUTs enabled (via setting the "read-only" initialization parameter of the Default servlet to "false") are affected. Tomcat versions before 9.0.1 (Beta), 8.5.23, 8.0.47 and 7.0.82 contain a potentially dangerous remote code ex

Payloads All The Things A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffee.com Every section contains: README.md - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intrude

Awesome CVE PoC A curated list of CVE PoCs. Here is a collection about Proof of Concepts of Common Vulnerabilities and Exposures, and you may also want to check out awesome-web-security. Please read the contribution guidelines before contributing. This repo is full of PoCs for CVEs. If you enjoy this awesome list and would like to support it, check out my Patreon page :

YAWAST The YAWAST Antecedent Web Application Security Toolkit YAWAST is an application meant to simplify initial analysis and information gathering for penetration testers and security auditors. It performs basic checks in these categories: TLS/SSL - Versions and cipher suites supported; common issues. Information Disclosure - Checks for common information leaks. Presence

Payloads All The Things A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or Every section contains: README.md - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intruder Some exploits You m

Payloads All The Things A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) Every section contains: README.md - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intruder Some exploits You might also like : Methodology and Resources

Jok3r - Network and Web Pentest Framework Jok3r is a Python3 CLI application which is aimed at helping penetration testers for network infrastructure and web black-box security tests. Its main goal is to save time on everything that can be automated during network/web pentest in order to enjoy more time on more interesting and challenging stuff. To achieve that, it combines ope

ABOUT: Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding

Payloads All The Things A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffee.com Every section contains: README.md - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intrude

Exploits Containing Self Made Perl Reproducers / PoC Codes This Git Repository Conatains Pesonnal Works That I Do On My free time. Donations / Support If you want to support/help me/my projects : BTC : 1N9BgzVVT8ye3UEUXb2p7Pum7RbmEx3byz ETC : 0x789bc32e951ccdaa5702d70fe02e21f596baa085 ETH : 0x789bc32e951ccdaa5702d70fe02e21f596baa085 LTC : LVSPDkX5Dr95cKqQnCMoLgYyzGBdtSsi3y T

CVE-2017-12617 Code put together from a few peoples ideas credit given don't use maliciously please

ABOUT: Sn1per Community Edition is an automated scanner that can be used during a penetration test to enumerate and scan for vulnerabilities. Sn1per Professional is Xero Security's premium reporting addon for Professional Penetration Testers, Bug Bounty Researchers and Corporate Security teams to manage large environments and pentest scopes. For more information regarding

CVE-shellshock Common Vulnerabilities and Exposures Big CVEs in the last 5 years. CVE-2014-0160 - Heartbleed The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication se

POC_CVE-2017-12615 CVE-2017-12615 for tomcat server Original POC: https://www.exploit-db.com/exploits/42953/

CVE-2017-12617 CVE-2017-12617 critical Remote Code Execution (RCE) vulnerability discovered in Apache Tomcat affect systems with HTTP PUTs enabled (via setting the "read-only" initialization parameter of the Default servlet to "false") are affected. Tomcat versions before 9.0.1 (Beta), 8.5.23, 8.0.47 and 7.0.82 contain a potentially dangerous remote code ex

Payloads All The Things A list of useful payloads and bypasses for Web Application Security. Feel free to improve with your payloads and techniques ! I &lt;3 pull requests :) You can also contribute with a beer IRL or with buymeacoffee.com Every section contains: README.md - vulnerability description and how to exploit it Intruders - a set of files to give to Burp Intrude

Aware IM Developer Resources Aware IM is a rapid application development tool that lets you create powerful aesthetically appealing web applications quickly. Aware IM developer tools, tips, news and resources. Changelog Software Written in 100% Java programming language. Aware IM is based on the plethora of Java technologies such as J2EE application server, JDBC, JMS, JSP/

References