You are here

Tomcat: Remote Code Execution and Security Constraint Bypass

Affects product: 
Airlock WAF
Airlock IAM
Airlock Login
IDs: 
CVE-2017-12616, CVE-2017-12615, CVE-2017-8045, CVE-2017-12617
Keywords: 
Tomcat, Remote Code Execution
Description: 

Apache Tomcat fixes the vulnerabilities CVE-2017-12615, CVE-2017-12616 and CVE-2017-12617 in versions 7.0.81/7.0.82 and 8.5.22.

Airlock WAF and Airlock Login/IAM are not affected. Back-ends behind Airlock WAF may be vulnerable, see resolution.

  • CVE-2017-12615, CVE-2017-12617
    Remote Code Execution in case HTTP PUTs are enabled. Airlock Login/IAM and WAF are not affected in the default configuration, HTTP PUTs are disabled.
  • CVE-2017-12616
    This attack may allow a security constraint bypass and viewing JSP sources in case a VirtualDirContext is used. Airlock Login/IAM and WAF are not affected in the default configuration, as no VirtualDirContext is used. 
Resolution: 
  • CVE-2017-12615, CVE-2017-12617
    Airlock WAF protects vulnerable Tomcat back-ends by default because the HTTP method PUT is blocked. If PUT must be allowed in the Airlock WAF configuration (see mapping - allow rules) and you are running a vulnerable Tomcat version behind Airlock WAF (check readonly Servlet setting) we recommend to update Apache Tomcat.
  • CVE-2017-12616
    If you are running a vulnerable Tomcat version behind Airlock WAF (check "VirtualDirContext" setting) we recommend to update it.
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution