CVE-2017-12617 vulnerability in Apache and Other Products
Published on October 4, 2017

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Vulnerability Analysis

CVE-2017-12617 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is consided to have a high level of attack complexity. It has an exploitability score of 2.2 out of four. The potential impact of an exploit of this vulnerability is considered to be very high.

Products Associated with CVE-2017-12617

You can be notified by stack.watch whenever vulnerabilities like CVE-2017-12617 are published in these products:

Apache Tomcat

  Watch

 

Canonical Ubuntu Linux

  Watch

 

Oracle Transportation Management

  Watch

 

Oracle Retail Xstore Point Of Service

  Watch

 

Oracle Webcenter Sites

  Watch

 

Oracle Retail Invoice Matching

  Watch

 

Oracle Hospitality Guest Access

  Watch

 

Oracle Retail Central Office

  Watch

 

Oracle Retail Returns Management

  Watch

 

Oracle Retail Point Of Service

  Watch

 

Oracle Retail Back Office

  Watch

 

Oracle Endeca Information Discovery Integrator

  Watch

 

Oracle Retail Order Broker

  Watch

 

Oracle Instantis Enterprisetrack

  Watch

 

Oracle Agile Plm

  Watch

 

Oracle Micros Lucas

  Watch

 

Oracle Communications Instant Messaging Server

  Watch

 

Oracle Workload Manager

  Watch

 

Oracle Retail Advanced Inventory Planning

  Watch

 

Oracle Retail Price Management

  Watch

 

Oracle Retail Store Inventory Management

  Watch

 

Oracle Fmw Platform

  Watch

 

Oracle Retail Convenience Fuel Pos Software

  Watch

 

Oracle Micros Retail Xbri Loss Prevention

  Watch

 

Oracle Mysql Enterprise Monitor

  Watch

 

Oracle Health Sciences Empirica Inspections

  Watch

 

Oracle Tuxedo System Applications Monitor

  Watch

 

Oracle Retail Order Management System

  Watch

 

Oracle Retail Insights

  Watch

 

Oracle Retail Eftlink

  Watch

 

Oracle Management Pack

  Watch

 

Oracle Financial Services Analytical Applications Infrastructure

  Watch

 

Oracle Enterprise Manager Mysql Database

  Watch

 

Debian Linux

  Watch

 

NetApp Oncommand Balance

  Watch

 

NetApp Snapcenter

  Watch

 

NetApp Oncommand Workflow Automation

  Watch

 

NetApp Oncommand Insight

  Watch

 

NetApp Active Iq Unified Manager

  Watch

 

NetApp Oncommand Shift

  Watch

 

NetApp Element

  Watch

 

Red Hat Enterprise Linux Desktop

  Watch

 

Red Hat Enterprise Linux Workstation

  Watch

 

Red Hat Enterprise Linux Server

  Watch

 

Red Hat Jboss Enterprise Application Platform

  Watch

 

Red Hat Enterprise Linux Power Little Endian

  Watch

 

Red Hat Jboss Enterprise Web Server

  Watch

 

Red Hat Enterprise Linux Server Aus

  Watch

 

Red Hat Enterprise Linux Server Tus

  Watch

 

Red Hat Enterprise Linux Eus

  Watch

 

Red Hat Enterprise Linux Power Big Endian Eus

  Watch

 

Red Hat Fuse

  Watch

 

Red Hat Enterprise Linux Power Big Endian

  Watch

 

Red Hat Enterprise Linux Ibm Z Systems

  Watch

 

Red Hat Enterprise Linux Eus Compute Node

  Watch

 

Red Hat Enterprise Linux Power Little Endian Eus

  Watch

 

Red Hat Enterprise Linux Ibm Z Systems Eus

  Watch

 

Red Hat Jboss Enterprise Web Server Text Only Advisories

  Watch

 

What versions are vulnerable to CVE-2017-12617?

•   Apache Tomcat Version 7.0.0 Fixed in Version 7.0.82
•   Apache Tomcat Version 8.0 Fixed in Version 8.0.47
•   Apache Tomcat Version 8.5.0 Fixed in Version 8.5.23
•   Apache Tomcat Version 9.0.0 Fixed in Version 9.0.1

•   Canonical Ubuntu Linux Version 12.04
•   Canonical Ubuntu Linux Version 17.10
•   Canonical Ubuntu Linux Version 16.04
•   Canonical Ubuntu Linux Version 18.04

•   Oracle Transportation Management Version 6.3.2
•   Oracle Transportation Management Version 6.3.4
•   Oracle Retail Xstore Point Of Service Version 7.1.6
•   Oracle Transportation Management Version 6.3.3
•   Oracle Retail Xstore Point Of Service Version 7.0.6
•   Oracle Webcenter Sites Version 11.1.1.8.0
•   Oracle Retail Invoice Matching Version 13.0
•   Oracle Transportation Management Version 6.3.1
•   Oracle Retail Invoice Matching Version 12.0
•   Oracle Transportation Management Version 6.3.6
•   Oracle Transportation Management Version 6.3.5
•   Oracle Retail Xstore Point Of Service Version 6.0.11
•   Oracle Retail Xstore Point Of Service Version 15.0.1
•   Oracle Transportation Management Version 6.3.7
•   Oracle Hospitality Guest Access Version 4.2.0
•   Oracle Hospitality Guest Access Version 4.2.1
•   Oracle Retail Central Office Version 14.0.4
•   Oracle Retail Central Office Version 14.1.3
•   Oracle Retail Returns Management Version 2.3.8
•   Oracle Retail Returns Management Version 2.4.9
•   Oracle Retail Returns Management Version 14.0.4
•   Oracle Retail Returns Management Version 14.1.3
•   Oracle Retail Point Of Service Version 14.0.4
•   Oracle Retail Point Of Service Version 14.1.3
•   Oracle Retail Back Office Version 14.0.4
•   Oracle Retail Back Office Version 14.1.3
•   Oracle Endeca Information Discovery Integrator Version 3.2.0
•   Oracle Endeca Information Discovery Integrator Version 3.1.0
•   Oracle Retail Order Broker Version 5.1
•   Oracle Retail Order Broker Version 5.2
•   Oracle Retail Order Broker Version 15.0
•   Oracle Retail Order Broker Version 16.0
•   Oracle Retail Invoice Matching Version 15.0
•   Oracle Instantis Enterprisetrack Version 17.1
•   Oracle Instantis Enterprisetrack Version 17.2
•   Oracle Agile Plm Version 9.3.3
•   Oracle Agile Plm Version 9.3.4
•   Oracle Agile Plm Version 9.3.5
•   Oracle Agile Plm Version 9.3.6
•   Oracle Micros Lucas Version 2.9.5
•   Oracle Communications Instant Messaging Server Version 10.0.1
•   Oracle Retail Invoice Matching Version 13.1
•   Oracle Retail Invoice Matching Version 13.2
•   Oracle Retail Invoice Matching Version 14.0
•   Oracle Retail Invoice Matching Version 14.1
•   Oracle Workload Manager Version 12.2.0.1
•   Oracle Retail Advanced Inventory Planning Version 14.1
•   Oracle Retail Price Management Version 15.0
•   Oracle Retail Price Management Version 16.0
•   Oracle Retail Price Management Version 14.0
•   Oracle Retail Store Inventory Management Version 14.0.4
•   Oracle Retail Store Inventory Management Version 14.1.3
•   Oracle Retail Advanced Inventory Planning Version 15.0
•   Oracle Fmw Platform Version 12.2.1.3.0
•   Oracle Retail Price Management Version 13.2
•   Oracle Retail Price Management Version 14.1
•   Oracle Retail Invoice Matching Version 16.0
•   Oracle Retail Convenience Fuel Pos Software Version 2.1.132
•   Oracle Micros Retail Xbri Loss Prevention Version 10.5.0
•   Oracle Micros Retail Xbri Loss Prevention Version 10.6.0
•   Oracle Micros Retail Xbri Loss Prevention Version 10.8.0
•   Oracle Micros Retail Xbri Loss Prevention Version 10.8.1
•   Oracle Micros Retail Xbri Loss Prevention Version 10.0.1
•   Oracle Micros Retail Xbri Loss Prevention Version 10.7.0
•   Oracle Mysql Enterprise Monitor Version 4.0.0 through 4.0.0.5135
•   Oracle Mysql Enterprise Monitor Version 3.4.0 through 3.4.4.4226
•   Oracle Mysql Enterprise Monitor Up to Version 3.3.6.3293
•   Oracle Health Sciences Empirica Inspections Version 1.0.1.1
•   Oracle Tuxedo System Applications Monitor Version 12.1.3.0.0
•   Oracle Retail Store Inventory Management Version 12.0.12
•   Oracle Retail Store Inventory Management Version 13.0.7
•   Oracle Retail Store Inventory Management Version 13.1.9
•   Oracle Retail Store Inventory Management Version 13.2.9
•   Oracle Retail Store Inventory Management Version 15.0.2
•   Oracle Retail Store Inventory Management Version 16.0.1
•   Oracle Retail Price Management Version 12.0
•   Oracle Retail Price Management Version 13.0
•   Oracle Retail Price Management Version 13.1
•   Oracle Retail Order Management System Version 4.0
•   Oracle Retail Order Management System Version 4.5
•   Oracle Retail Order Management System Version 4.7
•   Oracle Retail Order Management System Version 5.0
•   Oracle Retail Order Broker Version 5.0
•   Oracle Retail Insights Version 14.1
•   Oracle Retail Insights Version 15.0
•   Oracle Retail Insights Version 16.0
•   Oracle Retail Insights Version 14.0
•   Oracle Retail Eftlink Version 1.1.124
•   Oracle Retail Eftlink Version 15.0.1
•   Oracle Retail Eftlink Version 16.0.2
•   Oracle Retail Advanced Inventory Planning Version 13.4
•   Oracle Retail Advanced Inventory Planning Version 13.2
•   Oracle Management Pack Version 11.2.1.0.13 goldengate
•   Oracle Financial Services Analytical Applications Infrastructure Version 8.0.0.0.0 through 8.0.9.0.0
•   Oracle Financial Services Analytical Applications Infrastructure Version 7.3.3.0.0 through 7.3.5.3.0
•   Oracle Enterprise Manager Mysql Database Version 12.1.0.4.0
•   Oracle Fmw Platform Version 12.2.1.2.0

•   Debian Linux Version 7.0

•   NetApp Oncommand Balance Version -
•   NetApp Snapcenter Version -
•   NetApp Oncommand Workflow Automation Version -
•   NetApp Oncommand Insight Version -
•   NetApp Active Iq Unified Manager Version 7.3 windows
•   NetApp Active Iq Unified Manager Version 9.5 vmware_vsphere
•   NetApp Oncommand Shift Version -
•   NetApp Element Version - vcenter_server

•   Red Hat Enterprise Linux Desktop Version 7.0
•   Red Hat Enterprise Linux Workstation Version 7.0
•   Red Hat Enterprise Linux Server Version 7.0
•   Red Hat Jboss Enterprise Application Platform Version 6.0.0
•   Red Hat Enterprise Linux Power Little Endian Version 7.0
•   Red Hat Enterprise Linux Desktop Version 6.0
•   Red Hat Jboss Enterprise Web Server Version 2.0.0
•   Red Hat Enterprise Linux Server Version 6.0
•   Red Hat Enterprise Linux Workstation Version 6.0
•   Red Hat Enterprise Linux Server Aus Version 7.4
•   Red Hat Jboss Enterprise Web Server Version 3.0.0
•   Red Hat Jboss Enterprise Application Platform Version 6.4.0
•   Red Hat Enterprise Linux Server Tus Version 7.4
•   Red Hat Enterprise Linux Eus Version 7.4
•   Red Hat Enterprise Linux Eus Version 7.5
•   Red Hat Enterprise Linux Server Tus Version 7.6
•   Red Hat Enterprise Linux Server Aus Version 7.6
•   Red Hat Enterprise Linux Eus Version 7.6
•   Red Hat Enterprise Linux Server Aus Version 7.7
•   Red Hat Enterprise Linux Server Tus Version 7.7
•   Red Hat Enterprise Linux Eus Version 7.7
•   Red Hat Enterprise Linux Power Big Endian Eus Version 7.4_ppc64
•   Red Hat Enterprise Linux Power Big Endian Eus Version 7.5_ppc64
•   Red Hat Enterprise Linux Power Big Endian Eus Version 7.6_ppc64
•   Red Hat Enterprise Linux Power Big Endian Eus Version 7.7_ppc64
•   Red Hat Fuse Version 1.0
•   Red Hat Enterprise Linux Power Big Endian Version 7.0_ppc64
•   Red Hat Enterprise Linux Ibm Z Systems Version 7.0_s390x
•   Red Hat Enterprise Linux Eus Compute Node Version 7.7
•   Red Hat Enterprise Linux Eus Compute Node Version 7.6
•   Red Hat Enterprise Linux Eus Compute Node Version 7.5
•   Red Hat Enterprise Linux Eus Compute Node Version 7.4
•   Red Hat Enterprise Linux Power Little Endian Eus Version 7.7_ppc64le
•   Red Hat Enterprise Linux Power Little Endian Eus Version 7.6_ppc64le
•   Red Hat Enterprise Linux Power Little Endian Eus Version 7.5_ppc64le
•   Red Hat Enterprise Linux Power Little Endian Eus Version 7.4_ppc64le
•   Red Hat Enterprise Linux Ibm Z Systems Eus Version 7.7_s390x
•   Red Hat Enterprise Linux Ibm Z Systems Eus Version 7.6_s390x
•   Red Hat Enterprise Linux Ibm Z Systems Eus Version 7.5_s390x
•   Red Hat Enterprise Linux Ibm Z Systems Eus Version 7.4_s390x
•   Red Hat Jboss Enterprise Web Server Text Only Advisories Version -
•   Red Hat Enterprise Linux Power Big Endian Version 6.0_ppc64
•   Red Hat Enterprise Linux Ibm Z Systems Version 6.0_s390x