5
CVSSv2

CVE-2017-5664

Published: 06/06/2017 Updated: 23/04/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 472
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

Vulnerability Summary

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheTomcat7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.12, 7.0.13, 7.0.14, 7.0.15, 7.0.16, 7.0.17, 7.0.18, 7.0.19, 7.0.20, 7.0.21, 7.0.22, 7.0.23, 7.0.24, 7.0.25, 7.0.26, 7.0.27, 7.0.28, 7.0.29, 7.0.30, 7.0.31, 7.0.32, 7.0.33, 7.0.34, 7.0.35, 7.0.36, 7.0.37, 7.0.38, 7.0.39, 7.0.40, 7.0.41, 7.0.42, 7.0.43, 7.0.44, 7.0.45, 7.0.46, 7.0.47, 7.0.48, 7.0.49, 7.0.50, 7.0.51, 7.0.54, 7.0.55, 7.0.56, 7.0.57, 7.0.58, 7.0.59, 7.0.60, 7.0.61, 7.0.62, 7.0.63, 7.0.64, 7.0.65, 7.0.66, 7.0.67, 7.0.68, 7.0.69, 7.0.70, 7.0.71, 7.0.72, 7.0.73, 7.0.74, 7.0.75, 7.0.76, 7.0.77, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.9, 8.0.10, 8.0.11, 8.0.12, 8.0.13, 8.0.14, 8.0.15, 8.0.16, 8.0.17, 8.0.18, 8.0.19, 8.0.20, 8.0.21, 8.0.22, 8.0.23, 8.0.24, 8.0.25, 8.0.26, 8.0.27, 8.0.28, 8.0.29, 8.0.30, 8.0.31, 8.0.32, 8.0.33, 8.0.34, 8.0.35, 8.0.36, 8.0.37, 8.0.38, 8.0.39, 8.0.40, 8.0.41, 8.0.42, 8.0.43, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 9.0.0

Vendor Advisories

Synopsis Important: tomcat security update Type/Severity Security Advisory: Important Topic An update for tomcat is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, w ...
Aniket Nandkishor Kulkarni discovered that in tomcat7, a servlet and JSP engine, static error pages used the original request's HTTP method to serve content, instead of systematically using the GET method This could under certain conditions result in undesirable results, including the replacement or removal of the custom error page For the oldsta ...
Synopsis Important: tomcat6 security update Type/Severity Security Advisory: Important Topic An update for tomcat6 is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, ...
Aniket Nandkishor Kulkarni discovered that in tomcat8, a servlet and JSP engine, static error pages used the original request's HTTP method to serve content, instead of systematically using the GET method This could under certain conditions result in undesirable results, including the replacement or removal of the custom error page For the oldsta ...
Synopsis Important: Red Hat JBoss Web Server 310 Service Pack 1 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web Server 31 for RHEL 6 and Red Hat JBoss Web Server 31 for RHEL 7Red Hat Product Security has rated this update as having a sec ...
Synopsis Important: Red Hat JBoss Web Server Service Pack 1 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web Server 31Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Sys ...
Several security issues were fixed in Tomcat ...
Security constrained bypass in error page mechanism:A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page (CVE-2017-5664 ) ...
Security constrained bypass in error page mechanism:A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page (CVE-2017-5664 ) ...
Arch Linux Security Advisory ASA-201706-7 ========================================= Severity: High Date : 2017-06-06 CVE-ID : CVE-2017-5664 Package : tomcat8 Type : access restriction bypass Remote : Yes Link : securityarchlinuxorg/AVG-291 Summary ======= The package tomcat8 before version 8044-1 is vulnerable to access re ...
Arch Linux Security Advisory ASA-201706-6 ========================================= Severity: High Date : 2017-06-06 CVE-ID : CVE-2017-5664 Package : tomcat7 Type : access restriction bypass Remote : Yes Link : securityarchlinuxorg/AVG-290 Summary ======= The package tomcat7 before version 7078-1 is vulnerable to access re ...
Security constrained bypass in error page mechanism:A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page (CVE-2017-5664 ) The CORS Filter in Apache Tomcat 900M1 to 90 ...
Security constrained bypass in error page mechanism:While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 900M1 to 900M17, 850 to 8511, 800RC1 to 8041, and 700 to 7075 did not use the appropriate facade object When running an untrusted application under a SecurityManager, it was ...
A security issue has been found in Apache Tomcat < 7018 and < 8044 The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page This means that the request is presented to the e ...
Symantec Network Protection products using affected versions of Apache Tomcat are susceptible to multiple security vulnerabilities  A remote attacker, with access to the management interface, can obtain sensitive information from the server, modify information associated with a different web application, execute arbitrary code, modify server beha ...
Oracle Solaris Third Party Bulletin - July 2017 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical P ...
Oracle Linux Bulletin - July 2017 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin Oracle Linux Bulletins are published on the same day as Oracle Critical Patch Updates are released ...
Oracle Critical Patch Update Advisory - July 2018 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous C ...
Oracle Critical Patch Update Advisory - April 2018 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous ...
Oracle Linux Bulletin - October 2017 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin Oracle Linux Bulletins are published on the same day as Oracle Critical ...
Multiple vulnerabilities have been found in JP1/Network Node Manager i CVE-2016-6816, CVE-2017-5664 Affected products and versions are listed below Please upgrade your version to the appropriate version ...
Oracle Critical Patch Update Advisory - January 2018 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previou ...
Oracle Critical Patch Update Advisory - October 2017 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the ...

Mailing Lists

Note: the current version of the following document is available here: softwaresupportsoftwaregrpcom/document/-/facetsearch/document/KM03302206 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: KM03302206 Version: 1 MFSBGN03837 rev1 - Network Node Manager i, Multiple Vulnerabilities NOTICE: The information in this Security Bulle ...

Github Repositories

vulners-yum-scanner Note: quick and dirty 8-) CLI utility for scanning a Yum repository against Vulners for advisories/CVE's This utility supports the following commands audit - Using a repo url (public or private), download the primary repo XML file, get the latest packages, and utilize the Vulners API to search for advisories/CVE's based on package version info,

References

CWE-254http://www.debian.org/security/2017/dsa-3891http://www.debian.org/security/2017/dsa-3892http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttp://www.securityfocus.com/bid/98888http://www.securitytracker.com/id/1038641https://access.redhat.com/errata/RHSA-2017:1801https://access.redhat.com/errata/RHSA-2017:1802https://access.redhat.com/errata/RHSA-2017:1809https://access.redhat.com/errata/RHSA-2017:2493https://access.redhat.com/errata/RHSA-2017:2494https://access.redhat.com/errata/RHSA-2017:2633https://access.redhat.com/errata/RHSA-2017:2635https://access.redhat.com/errata/RHSA-2017:2636https://access.redhat.com/errata/RHSA-2017:2637https://access.redhat.com/errata/RHSA-2017:2638https://access.redhat.com/errata/RHSA-2017:3080https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/a42c48e37398d76334e17089e43ccab945238b8b7896538478d76066@%3Cannounce.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3Ehttps://security.netapp.com/advisory/ntap-20171019-0002/https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_ushttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.rapid7.com/db/vulnerabilities/ubuntu-cve-2017-5664https://access.redhat.com/errata/RHSA-2017:1809https://nvd.nist.govhttps://usn.ubuntu.com/3519-1/https://www.rapid7.com/db/vulnerabilities/centos_linux-cve-2017-5664https://tools.cisco.com/security/center/viewAlert.x?alertId=55627