CVE-2017-12617

What Is Apache Tomcat?

Apache Tomcat is the leading open-source Java application server, deployed in millions of enterprise environments globally. CVE-2017-12617 is the platform-independent companion to CVE-2017-12615 (Windows-only) — while CVE-2017-12615 was patched in Tomcat 7.0.81, CVE-2017-12617 represents a related but distinct bypass that works across all operating systems and affects Tomcat 8.x and 9.x versions.

Overview

CVE-2017-12617 is a remote code execution vulnerability in Apache Tomcat (all platforms) caused by improper handling of HTTP PUT requests. When the DefaultServlet is configured with write permissions, a specially crafted PUT request can upload a JSP file to the server — which is then accessible via HTTP and executes server-side Java code. Unlike CVE-2017-12615 (Windows-specific trailing slash bypass), CVE-2017-12617 uses a different technique applicable to all platforms. Fixed in Apache Tomcat 8.5.24, 8.0.47, and 9.0.1 (October 2017). CISA added CVE-2017-12617 to the KEV catalog in March 2022.

Affected Versions

Technical Details

Root Cause: JSP Upload via Partial PUT Request Bypass

CVE-2017-12617 is an unrestricted upload vulnerability (CWE-434) in Apache Tomcat's DefaultServlet. When readonly=false is configured, the DefaultServlet handles HTTP PUT for file uploads. The vulnerability involves sending a specially crafted PUT request (using partial PUT or specific URL encoding techniques) that bypasses Tomcat's check against uploading files with JSP extensions. The uploaded JSP is stored in the webapps directory and compiled by Tomcat when subsequently requested via HTTP GET.

Comparison with CVE-2017-12615:

Organizations running Tomcat 8.x or 9.x on Linux, macOS, or Windows need to patch CVE-2017-12617 — CVE-2017-12615 only applies to 7.x on Windows.

Attack Characteristics

Exploitation Context

• Cross-platform reach: CVE-2017-12617's platform-independence makes it more broadly applicable than CVE-2017-12615; Linux-hosted Tomcat (the most common production deployment) is affected
• Automated scanning at scale: Exploit tools targeting both CVE-2017-12615 and CVE-2017-12617 were widely available immediately after patch release; mass scanning campaigns targeted Tomcat on standard ports globally
• DevOps deployment patterns: Some CI/CD pipelines and deployment automation systems enable HTTP PUT on Tomcat for deploying WAR files or static content; these configurations were inadvertently enabling CVE-2017-12617 exploitation
• CISA KEV (2022): Added March 25, 2022 alongside CVE-2017-12615 — both Apache Tomcat JSP upload vulnerabilities represent ongoing exploitation risk

Remediation

1. Upgrade Apache Tomcat — update to Tomcat 8.5.24+, 8.0.47+, or 9.0.1+ to patch CVE-2017-12617. If running Tomcat 7.x on Windows, also ensure CVE-2017-12615 is patched (7.0.81+).

2. Disable HTTP PUT — unless explicitly required, configure the DefaultServlet with readonly=true (the default); this mitigates both CVE-2017-12615 and CVE-2017-12617.

3. Restrict access to Tomcat HTTP port — limit which network sources can reach the Tomcat HTTP port; legitimate users typically access Tomcat via a reverse proxy rather than directly.

4. Deploy a reverse proxy — place Tomcat behind Apache httpd or nginx configured to block HTTP PUT requests; this provides an additional layer of protection independent of Tomcat's own configuration.

5. Audit Tomcat webapps directories — check all webapps directories for unexpected .jsp files; any JSP not part of the deployed application is a potential web shell.