Cyber Resilience

CVE-2017-12617

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 04 October 2017

Published
04 October 2017
Modified
21 April 2026
KEV Added
25 March 2022
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9438 100.0th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2017-12617 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Oracle Retail Invoice Matching. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 0.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-7 (Least Functionality).

Deeper analysis

Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46, and 7.0.0 to 7.0.81 contain an unrestricted file upload vulnerability when the Default servlet is configured with the readonly initialization parameter set to false, which enables HTTP PUT requests. The flaw, tracked as CWE-434, permits an attacker to supply a specially crafted request that writes a JSP file directly to the server.

Once uploaded, the JSP can be requested by the attacker and executed by the Tomcat runtime, resulting in remote code execution. The attack requires no authentication or user interaction and can be carried out over the network, producing a CVSS 3.1 base score of 8.1 with high impact on confidentiality, integrity, and availability.

Oracle security advisories published in January, April, and July 2018, along with entries from SecurityFocus and SecurityTracker, document the issue and direct administrators to the corresponding Tomcat fixes and configuration guidance.

EU & UK References

Vulnerability details

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload…

more

a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

apache
tomcat
7.0.0 — 7.0.82 · 8.0 — 8.0.47 · 8.5.0 — 8.5.23
canonical
ubuntu linux
12.04, 16.04, 17.10, 18.04
oracle
agile plm
9.3.3, 9.3.4, 9.3.5, 9.3.6
oracle
communications instant messaging server
10.0.1
oracle
endeca information discovery integrator
3.1.0, 3.2.0
oracle
enterprise manager for mysql database
12.1.0.4.0
oracle
financial services analytical applications infrastructure
7.3.3.0.0 — 7.3.5.3.0 · 8.0.0.0.0 — 8.0.9.0.0
oracle
fmw platform
12.2.1.2.0, 12.2.1.3.0
oracle
health sciences empirica inspections
1.0.1.1
oracle
hospitality guest access
4.2.0, 4.2.1
+48 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Disables unnecessary HTTP PUT method and executable file upload capability on the Default servlet, directly blocking the attack vector used by CVE-2017-12617.

prevent

Enforces the readonly initialization parameter to remain true on the Tomcat Default servlet, preventing the misconfiguration that enables unrestricted JSP uploads.

prevent

Validates uploaded content to reject dangerous file types such as JSP before they can be written and later executed on the server.

References