Tomcat Vulnerability -

Document ID : KB000009072
Last Modified Date : 06/02/2019
Show Technical Document Details
Issue:

A vulnerability exists in Apache Tomcat that, when exploited, could allow attackers to execute arbitrary code on the targeted host. 

 

Products Affected:

Apache Tomcat 7.0.0 to 7.0.81

Apache Tomcat 8.0.0.RC1 to 8.0.46, 8.5.0 to 8.5.22

Apache Tomcat 9.0.0.M1 to 9.0.0.M21

 

Threat Assessment:

Exploitation could allow attackers to execute arbitrary code on the targeted host. An attacker can successfully exploit this vulnerability by submitting a specially crafted request for the host to process.

 

NIRT rates this vulnerability as Severity Level #3 for internal servers and will continue to monitor the situation providing updates where appropriate.

 

Required Actions:

Apply the following patches where appropriate:

 

Security Update Information

https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82

https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.47

https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.1

 

NIRT recommends a careful review of all vendor notes related to this vulnerability. Customers should proceed with appropriate testing and planning to meet the required due date.

Environment:
CA Spectrum 10.1.x and 10.2.x
Cause:

A vulnerability exists in Apache Tomcat that, when exploited, could allow attackers to execute arbitrary code on the targeted host. 

 

Products Affected:

Apache Tomcat 7.0.0 to 7.0.81

Apache Tomcat 8.0.0.RC1 to 8.0.46, 8.5.0 to 8.5.22

Apache Tomcat 9.0.0.M1 to 9.0.0.M21

Resolution:

Problem Description: 
----------------------------- 
Vulnerability: CVE-2017-12617 . 

Required Actions:
Apply the following patches where appropriate: 

Security Update Information 
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82 
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.47 
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.1 

Cause: 
--------- 
Vulnerability 

Solution: 
------------ 
For Spectrum 10.2, this issue is addressed in Spectrum 10.2.3.

For Spectrum 10.1, this issue is addressed in the Spectrum_10.01.01.PTF_10.1.182 patch.