The Apache Tomcat team recently patched several security vulnerabilities in Apache Tomcat, one of which could allow an unauthorized attacker to execute malicious code on affected servers remotely.
Apache Tomcat, developed by the Apache Software Foundation (ASF), is a web server system and the open source servlet, which uses a number of Java EE specifics such as Java Servlet, Java Server Pages (JSP), Expression Language and WebSocket and provides a “pure Java” HTTP Web server environment to run the Java concept.
Unlike the vulnerability in Apache Struts2 recently exploited to violate the information systems of the American credit agency Equifax, Apache Tomcat defects are less likely to be exploited.
The Critical Code Remote Execution (RCE) vulnerability (CVE-2017-12.617) discovered in Apache Tomcat is due to insufficient user input validation provided by the affected software.
Only systems with HTTP PUT enabled (setting the “Read Only” initialization parameter of the default “false” servlet).
“The versions prior to 9.0.1 Tomcat (Beta), 5.8.23, 8.0.47 and 7.0.82 contain a potentially dangerous remote code execution (RCE) vulnerability on all operating systems if the default servlet is configured with the only read-only parameter or the WebDAV servlet is enabled with the read-only parameter set to false, “says Peter Stöckli of Alphabot Security.
Exploitation of this vulnerability requires that an attacker could load a bad JSP (Java Server page) to a target server running an affected version of Apache Tomcat and the code inside the JSP file will be executed by the server when the file is required.
To load malicious JSP software, the attacker only needs to send an HTTP PUT request to the vulnerable server, as mentioned in the Explode Proof of Concept (PoC) code, published by Peter Apache’s mailing list.
The exploit would allow the attacker to execute malicious code on the target server.
“Because this feature is not typically required, the system most exposed to the public will not only have read the set false and therefore will not be affected,” says Peter.
This RCE vulnerability, marked “Important,” affects all versions of Apache Tomcat 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.46 and 7.0.0 8.0.0.RC1 to 7 , 0. 81, and has been addressed with the release of Tomcat versions 9.0.1 (Beta), 8.5.23, 8.0.47 and 7.0.82.
A similar security issue (CVE-2017-12615) discovered in Tomcat on Windows 7 has been patched by Apache Tomcat developers on September 19th with the release of version 7.0.81.
Also Read: Ultimate List Of Best Hacking Tools Of 2017
Administrators are strongly advised to apply software updates as soon as possible and that we must allow only trusted users to access the network and control the systems involved.
The researchers did not detect any incidents of exploiting one of these Apache Tomcat vulnerabilities in nature.