Apache Tomcat Bug Lets Remote Users Upload and Execute Arbitrary Code in Certain Cases
SecurityTracker Alert ID: 1030834|
SecurityTracker URL: http://securitytracker.com/id/1030834
(Links to External Site)
Date: Sep 10 2014
Execution of arbitrary code via network, Modification of user information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 7.0.0 to 7.0.39|
A vulnerability was reported in Apache Tomcat. A remote user can execute arbitrary code on the target system in certain cases.|
A remote user can upload arbitrary JSP code and then cause the code to be executed in certain limited cases.
Systems with all of the following conditions are affected:
- A version of Java where 'java.io.File' contains a null byte injection flaw (e.g., 1.7.0 update 25 or prior)
- A web application using the Servlet 3.0 File Upload feature or using Apache Commons File Upload 1.2.1 or prior
- A Tomcat-writable file location within a deployed web application (when the Servlet 3.0 File Upload feature is used)
- A custom listener for JMX connections (e.g., the JmxRemoteListener) configured and able to load classes from Tomcat's common class loader and bound to an address other than localhost
Pierre Ernst of the VMware Security Engineering, Communications & Response group (vSECR) reported this vulnerability (via the Pivotal security team).
A remote user can upload and execute arbitrary code on the target system.|
The vendor has issued a fix (7.0.40) [in May 2013].|
Vendor URL: tomcat.apache.org/security-7.html (Links to External Site)
Access control error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [SECURITY] CVE-2013-4444 Remote Code Execution in Apache Tomcat|
-----BEGIN PGP SIGNED MESSAGE-----
CVE-2013-4444 Remote Code Execution
Vendor: The Apache Software Foundation
- - Apache Tomcat 7.0.0 to 7.0.39
In very limited circumstances, it was possible for an attacker to upload
a malicious JSP to a Tomcat server and then trigger the execution of
that JSP. While Remote Code Execution would normally be viewed as a
critical vulnerability, the circumstances under which this is possible
are, in the view of the Tomcat security team, sufficiently limited that
this vulnerability is viewed as important.
For this attack to succeed all of the following requirements must be met:
a) Using Oracle Java 1.7.0 update 25 or earlier (or any other Java
implementation where java.io.File is vulnerable to null byte
b) A web application must be deployed to a vulnerable version of Tomcat
(see previous section).
c) The web application must use the Servlet 3.0 File Upload feature.
d) A file location within a deployed web application must be writeable
by the user the Tomcat process is running as. The Tomcat security
documentation recommends against this.
e) A custom listener for JMX connections (e.g. the JmxRemoteListener
that is not enabled by default) must be configured and be able to
load classes from Tomcat's common class loader (i.e. the custom JMX
listener must be placed in Tomcat's lib directory)
f) The custom JMX listener must be bound to an address other than
localhost for a remote attack (it is bound to localhost by default).
If the custom JMX listener is bound to localhost, a local attack
will still be possible.
Note that requirements b) and c) may be replaced with the following
g) A web application is deployed that uses Apache Commons File Upload
1.2.1 or earlier.
In this case a similar vulnerability may exist on any Servlet container,
not just Apache Tomcat.
This vulnerability may be mitigated by using any one of the following
- - Upgrade to Oracle Java 1.7.0 update 40 or later (or any other Java
implementation where java.io.File is not vulnerable to null byte
- - Use OS file permissions to prevent the process Tomcat is running as
from writing to any location within a deployed application.
- - Disable any custom JMX listeners
- - Upgrade to Apache Tomcat 7.0.40 or later
This issue was identified by Pierre Ernst of the VMware Security
Engineering, Communications & Response group (vSECR) and reported to
the Tomcat security team via the Pivotal security team.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
-----END PGP SIGNATURE-----