Apache Tomcat Remote Code Execution via JSP Upload & Information Disclosure

Description: The Apache Foundation has released security updates to address vulnerabilities in Apache Tomcat.

When running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

When using a VirtualDirContext it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.

Impact: Exploitation of one of these vulnerabilities may allow a remote attacker to take control of an affected server.

Mitigation: Updates are available. Upgrade to Apache Tomcat 7.0.81 or later. Please check specific vendor advisory for more information.

Reference URL’s: