Apache Tomcat Remote Code Execution Vulnerability
Description
Apache Tomcat versions 7.0.0 through 7.0.79 running on Windows operating systems are vulnerable to remote code execution when HTTP PUT requests are enabled. By default, the DefaultServlet has a 'readonly' parameter set to true, which prevents file uploads. However, when this parameter is explicitly set to false, attackers can exploit a path traversal weakness to upload malicious JSP files to the server. Once uploaded, these JSP files can be accessed via HTTP requests, causing the server to execute any embedded code with the privileges of the Tomcat process.
Remediation
Immediately upgrade Apache Tomcat to version 7.0.81 or later, which contains a fix for CVE-2017-12615. If immediate patching is not possible, implement the following temporary mitigations:
1. Disable HTTP PUT requests by ensuring the DefaultServlet 'readonly' parameter is set to true (this is the default configuration). Verify your web.xml configuration:
<servlet>
<servlet-name>default</servlet-name>
<servlet-class>org.apache.catalina.servlets.DefaultServlet</servlet-class>
<init-param>
<param-name>readonly</param-name>
<param-value>true</param-value>
</init-param>
</servlet>2. Restrict access to the Tomcat server using firewall rules or network segmentation to limit exposure to trusted networks only.
3. Review server logs for any suspicious PUT requests or unexpected JSP file creation that may indicate prior exploitation.
4. Apply the principle of least privilege by running Tomcat with minimal system permissions to reduce the impact of potential compromise.