Cyber Resilience

CVE-2017-12615

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 19 September 2017

Published
19 September 2017
Modified
21 April 2026
KEV Added
25 March 2022
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9423 99.9th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-12615 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Redhat Enterprise Linux Eus. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).

Deeper analysis

The vulnerability tracked as CVE-2017-12615 affects Apache Tomcat versions 7.0.0 through 7.0.79 running on Windows when the DefaultServlet is configured with its readonly initialization parameter set to false, enabling HTTP PUT requests. This configuration permits an attacker to upload a JSP file through a specially crafted request; once uploaded, the JSP can be accessed and executed by the server, resulting in arbitrary code execution. The issue is classified under CWE-434 and carries a CVSS 3.1 score of 8.1.

An unauthenticated remote attacker can exploit the flaw over the network by sending the crafted PUT request to upload a malicious JSP payload and then invoking it to execute code. Successful exploitation grants full control over the affected Tomcat instance, impacting confidentiality, integrity, and availability, although the attack requires the non-default PUT capability to be enabled and therefore receives a high attack-complexity rating.

Red Hat has published errata RHSA-2017:3080 and RHSA-2017:3081 that address the issue for supported products; additional details appear in vendor trackers such as SecurityFocus and SecurityTracker.

EU & UK References

Vulnerability details

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted…

more

request. This JSP could then be requested and any code it contained would be executed by the server.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
tomcat
7.0.0 — 7.0.79
netapp
7-mode transition tool
all versions
netapp
oncommand balance
all versions
netapp
oncommand shift
all versions
redhat
enterprise linux server update services for sap solutions
7.4, 7.6, 7.7
redhat
jboss enterprise web server
2.0.0, 3.0.0
redhat
jboss enterprise web server text-only advisories
all versions
redhat
enterprise linux desktop
6.0, 7.0
redhat
enterprise linux eus
7.4, 7.5, 7.6, 7.7
redhat
enterprise linux eus compute node
7.4, 7.5, 7.6, 7.7
+12 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Disabling HTTP PUT (or enforcing readonly=true) directly removes the non-least-functionality capability that enables the JSP upload in this CVE.

prevent

Enforcing secure baseline settings for the DefaultServlet prevents the exact Tomcat configuration that allows unauthenticated PUT-based JSP deployment.

prevent

Access enforcement can restrict or require authentication for PUT operations, blocking the unauthenticated upload vector used by the CVE.

References