HackDig : Dig high-quality web security articles for hacker

Apache Warns of Tomcat Remote Code Execution Vulnerability

2014-09-11 05:00

Some older versions of the open source Apache Tomcat web server and servlet container, are vulnerable to remote code execution.

In what Mark Thomas, a longtime Apache Tomcat committer, calls “limited circumstances,” a user could upload malicious JavaServer Pages (JSP) to a server running Tomcat, and then later trigger the execution of that JSP. JSP shells can be used to execute arbitrary commands on the server.

Related Posts

Versions 7.0.0 to 7.0.39 should be considered vulnerable until patched, Thomas warned today.

Exploiting the vulnerability (CVE-2014-4444) - dug up last week by Pierre Ernst at VMware’s Security Engineering, Communications and Response Group (vSECR) – is easier said than done according to Apache officials.

An attacker would have to ensure certain conditions were in place – including using Oracle Java 1.7.0 Update 25 or earlier along with a vulnerable version of Tomcat. For what it’s worth, the system’s file location must be writeable and a custom listener for JMX conditions would have to be configured and bound to an address other than localhost as well, according to Thomas.

It’s because of the limitations that the security team at Tomcat downgraded the vulnerability from critical, the severity usually associated with remote execution bugs, to important.

Apache is encouraging users to either upgrade to Tomcat 7.0.40 to remedy the issue or upgrade their Oracle Java to 1.7.0 or later to mitigate it.


Source: 291801/ytilibarenluv-noitucexe-edoc-etomer-tacmot-fo-snraw-ehcapa/moc.tsoptaerht

“Apache Warns of Tomcat Remote Code Execution Vulnerability”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud