Apache Tomcat JSP Upload RCE

Description

Apache Tomcat is susceptible to a Remote Code Execution (RCE) vulnerability when running on Windows with HTTP PUTs enabled. By sending a specially crafted request, attackers can upload a JSP file to the server. Subsequently, this JSP file can be requested, and any code it contains will be executed by the server.

Recommendation

To mitigate this vulnerability, it is recommended to upgrade to the latest stable version of Apache Tomcat. Additionally, ensure that the readonly parameter is set to true in the servlet configurations:

<servlet>
  <servlet-name>HelloWorld</servlet-name>
  <servlet-class>HelloWorldServlet</servlet-class>
  <init-param>
      <param-name>readonly</param-name>
      <param-value>false</param-value>
  </init-param>
</servlet>

References

• Apache Tomcat
• CVE-2017-12615
• CVE-2017-12617
• CWE-20
• CWE-78
• OWASP 2021-A3
• OWASP 2021-A6