CVE-2017-12617
Published: 3 October 2017
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Priority
Status
Package | Release | Status |
---|---|---|
tomcat7 Launchpad, Ubuntu, Debian |
hirsute |
Does not exist
|
xenial |
Needed
|
|
artful |
Ignored
(end of life)
|
|
bionic |
Needed
|
|
cosmic |
Ignored
(end of life)
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Released
(7.0.52-1ubuntu0.14)
|
|
upstream |
Released
(7.0.82)
|
|
zesty |
Ignored
(end of life)
|
|
mantic |
Does not exist
|
|
Patches: upstream: https://svn.apache.org/r1804604 upstream: https://svn.apache.org/r1804643 upstream: https://svn.apache.org/r1804729 upstream: https://svn.apache.org/r1806940 upstream: https://svn.apache.org/r1809288 upstream: https://svn.apache.org/r1809293 upstream: https://svn.apache.org/r1809298 upstream: https://svn.apache.org/r1809358 upstream: https://svn.apache.org/r1809978 upstream: https://svn.apache.org/r1809992 upstream: https://svn.apache.org/r1810014 upstream: https://svn.apache.org/r1810026 |
||
tomcat8 Launchpad, Ubuntu, Debian |
hirsute |
Does not exist
|
artful |
Released
(8.5.21-1ubuntu1.1)
|
|
bionic |
Not vulnerable
(8.5.30-1ubuntu1)
|
|
cosmic |
Not vulnerable
(8.5.30-1ubuntu2)
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(8.0.47,8.5.23)
|
|
xenial |
Released
(8.0.32-1ubuntu1.6)
|
|
zesty |
Ignored
(end of life)
|
|
mantic |
Does not exist
|
|
Patches: upstream: https://svn.apache.org/r1809272 upstream: https://svn.apache.org/r1809274 upstream: https://svn.apache.org/r1809275 upstream: https://svn.apache.org/r1809673 upstream: https://svn.apache.org/r1809675 upstream: https://svn.apache.org/r1809896 upstream: https://svn.apache.org/r1809283 upstream: https://svn.apache.org/r1809284 upstream: https://svn.apache.org/r1809285 upstream: https://svn.apache.org/r1809296 upstream: https://svn.apache.org/r1809921 |
||
tomcat8.0 Launchpad, Ubuntu, Debian |
hirsute |
Does not exist
|
artful |
Ignored
(end of life)
|
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(8.0.47)
|
|
xenial |
Does not exist
|
|
mantic |
Does not exist
|
|
Patches: upstream: https://svn.apache.org/r1809921 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.1 |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617
- https://www.alphabot.com/security/blog/2017/java/Apache-Tomcat-RCE-CVE-2017-12617.html
- https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb@%3Cannounce.tomcat.apache.org%3E
- https://ubuntu.com/security/notices/USN-3665-1
- NVD
- Launchpad
- Debian