Apache Tomcat JSP Upload RCE
Impact: High
Description
When running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Recommendation
Upgrade to Apache Tomcat to the latest stable version. Then make sure the readonly
is set to true in the configurations like below example:
<servlet>
<servlet-name>HelloWorld</servlet-name>
<servlet-class>HelloWorldServlet</servlet-class>
<init-param>
<param-name>readonly</param-name>
<param-value>false</param-value>
</init-param>
</servlet>
References
- Apache Tomcat
- CVE-2017-12615
- CVE-2017-12617
- CWE-77
- OWASP 2017-A1
- OWASP 2021-A3
- CWE-20
- OWASP 2017-A9
- OWASP 2021-A6
👉 You might also like:
Apache Struts 2 RCE S2-045 - CVE-2017-5638
Apache Struts 2 REST plugin XStream RCE S2-052 - CVE-2017-9805
Apache 2.4.49 Path Traversal and RCE - CVE-2021-41773, CVE-2021-42013
Apache Struts 2 Forced double OGNL evaluation S2-059 - CVE-2019-0230
Last updated on June 06, 2022