[SingCERT] Alert on Two Apache Tomcat Security Vulnerabilities (CVE-2017-12615 and CVE-2017-12616)

Published on Sunday, 24 September 2017 18:10

Background
On 19 September 2017, the Apache Software Foundation announced two important security vulnerabilities (CVE-2017-12615 and CVE-2017-12616) in its Apache Tomcat 7.0.x which could lead to remote code execution (RCE).

Apache Tomcat is an open-source HTTP server and Java servlet container developed by the Apache Software Foundation. Many Internet websites employ Apache Tomcat to serve Java Servlets and Java Server Pages.

Affected Systems
Web application servers using Apache Tomcat versions from 7.0.0 to 7.0.81 are affected.

Impact
• CVE-2017-12615: When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, an attacker could bypass security constraints and/or view the source code of JSP for resources served by theVirtualDirContext using a specially-crafted request.

• CVE-2017-12616: When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, an attacker could upload a JSP file to the server via a specially-crafted request. The arbitrary code inside the JSP could then be executed by the server.

Recommendations
System Administrators should immediately verify their existing Apache Tomcat versions and upgrade affected systems to Apache Tomcat versions 7.0.82 (or higher).

Additional Configuration Options
System Administrators may consider the following options in $CATALINA_BASE/conf/web.xml configuration file:
(i) Disabling HTTP PUT method by adding a security constraint:
    <security-constraint>
         <web-resource-collection>
              <web-resource-name>Forbidden</web-resource-name>
              <url-pattern>/*</url-pattern>
              <http-method>PUT</http-method>
              <http-method>DELETE</http-method>
              <http-method>OPTIONS</http-method>
              <http-method>TRACE</http-method>
              </web-resource-collection>
         <auth-constraint>
              <role-name>empty_role</role-name>
         </auth-constraint>
    </security-constraint>  

(ii) Set DefaultServlet initParamters to "readonly" to reject HTTP PUT and DELETE methods:
    <servlet>
        <servlet-name>default</servlet-name>
        <servlet-class>
          org.apache.catalina.servlets.DefaultServlet
        </servlet-class>
        <init-param>
            <param-name>readonly</param-name>
            <param-value>true</param-value>
        </init-param>
        <load-on-startup>1</load-on-startup>
    </servlet>

References
http://tomcat.apache.org/security-7.html#Apache_Tomcat_7.x_vulnerabilities