Apache Tomcat Vulnerabilities

CVE-2017-12617

Apache Tomcat Remote Code Execution via JSP upload

This particular vulnerability allows for malicious attackers to upload and execute JSP files against a vulnerable Tomcat server.  It's listed as affecting versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled.  Note that while your version may be in this list, the vulnerability requires the following parameter be explicitly set in the default servlet web.xml file:

<init-param>
     <param-name>readonly</param-name>
     <param-value>false</param-value>
</init-param>

Yellowfin by default does NOT define this variable.  Searching the web.xml at /appserver/conf/web.xml will ensure your instance is not vulnerable. 

CVE-2019-0232

Apache Tomcat Remote Code Execution via CGI Servlet - Disclosure Link

Tomcat hosted on Windows machine with the CGI Servlet enabled is vulnerable to Remote Code Execution when enabling the enableCmdLineArguments option.  The CGI Servlet is disabled in Tomcat by default and must be explicitly enabled within the $CATALINA_BASE/conf/web.xml file.  The following snippet will enable the servlet when uncommented:

    <!-- The mapping for the CGI Gateway servlet -->

<!--
    <servlet-mapping>
        <servlet-name>cgi</servlet-name>
        <url-pattern>/cgi-bin/*</url-pattern>
    </servlet-mapping>
-->
Yellowfin does not enable this in our default installations, and our application does not utilize this servlet.

Is article helpful?