netapp oncommand-balance CVE-2017-12615 vulnerability in NetApp and Other Products
Published on September 19, 2017

product logo product logo product logo
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

NVD

Known Exploited Vulnerability

This Apache Tomcat on Windows Remote Code Execution Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. When running Apache Tomcat on Windows with HTTP PUTs enabled, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

The following remediation steps are recommended / required by April 15, 2022: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2017-12615 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 2.2 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

What is an Unrestricted File Upload Vulnerability?

The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

CVE-2017-12615 has been classified to as an Unrestricted File Upload vulnerability or weakness.


Products Associated with CVE-2017-12615

You can be notified by stack.watch whenever vulnerabilities like CVE-2017-12615 are published in these products:

NetApp Oncommand Balance
 
NetApp Oncommand Shift
 
NetApp 7 Mode Transition Tool
 
Red Hat Enterprise Linux Desktop
 
Red Hat Enterprise Linux Workstation
 
Red Hat Enterprise Linux Scientific Computing
 
Red Hat Enterprise Linux Server
 
Red Hat Jboss Enterprise Web Server
 
Red Hat Enterprise Linux Server Aus
 
Red Hat Enterprise Linux Server Tus
 
Red Hat Enterprise Linux Eus
 
Red Hat Enterprise Linux Server Update Services Sap Solutions
 
Red Hat Enterprise Linux Power Big Endian Eus
 
Red Hat Enterprise Linux Server Power Little Endian Update Services Sap Solutions
 
Red Hat Enterprise Linux Power Little Endian
 
Red Hat Enterprise Linux Power Big Endian
 
Red Hat Enterprise Linux Ibm Z Systems
 
Red Hat Enterprise Linux Eus Compute Node
 
Red Hat Enterprise Linux Power Little Endian Eus
 
Red Hat Enterprise Linux Ibm Z Systems Eus
 
Red Hat Jboss Enterprise Web Server Text Only Advisories
 
Apache Tomcat
 

What versions are vulnerable to CVE-2017-12615?

Each of the following must match for the vulnerability to exist.