Some older versions of the open source Apache Tomcat web server and servlet container, are vulnerable to remote code execution.
In what Mark Thomas, a longtime Apache Tomcat committer, calls “limited circumstances,” a user could upload malicious JavaServer Pages (JSP) to a server running Tomcat, and then later trigger the execution of that JSP. JSP shells can be used to execute arbitrary commands on the server.
Versions 7.0.0 to 7.0.39 should be considered vulnerable until patched, Thomas warned today.
Exploiting the vulnerability (CVE-2014-4444) – dug up last week by Pierre Ernst at VMware’s Security Engineering, Communications and Response Group (vSECR) – is easier said than done according to Apache officials.
An attacker would have to ensure certain conditions were in place – including using Oracle Java 1.7.0 Update 25 or earlier along with a vulnerable version of Tomcat. For what it’s worth, the system’s file location must be writeable and a custom listener for JMX conditions would have to be configured and bound to an address other than localhost as well, according to Thomas.
It’s because of the limitations that the security team at Tomcat downgraded the vulnerability from critical, the severity usually associated with remote execution bugs, to important.
Apache is encouraging users to either upgrade to Tomcat 7.0.40 to remedy the issue or upgrade their Oracle Java to 1.7.0 or later to mitigate it.