Apache Tomcat Information Disclosure CVE-2017-7674
Description
Apache Tomcat versions prior to 7.0.81 contain an information disclosure vulnerability when VirtualDirContext is configured. A specially crafted HTTP request can bypass security constraints and expose the source code of JavaServer Pages (JSP) files that should be protected. This occurs due to improper handling of requests to resources served through the VirtualDirContext, allowing unauthorized access to sensitive application code and potentially embedded credentials or business logic.
Remediation
Apply the following remediation steps to address this vulnerability:
- Upgrade Apache Tomcat: Update to Apache Tomcat version 7.0.81 or later, which contains the fix for this vulnerability
- Verify Configuration: Review your server.xml and context.xml files to identify any VirtualDirContext configurations that may be affected
- Test After Upgrade: Validate that security constraints are properly enforced and JSP source code is not accessible after the upgrade
- Temporary Mitigation: If immediate upgrade is not possible, consider disabling VirtualDirContext usage or implementing additional access controls at the network or web application firewall level until patching can be completed