MyCERT Advisories

MyCERT Advisories, Alerts and Summaries for the year 2017

MA-684.102017: MyCERT Advisory – Apache Tomcat Remote Code Execution via JSP upload

Date first published: 05/10/2017

1.0    Introduction
A new vulnerability found in Apache Tomcat version below 9.0.1 and 8.5.23 with HTTP PUT enabled allow uploading a JSP file to the server via a specially crafted request when running HTTP PUTs enabled (e.g. via setting the read only initialization parameter of the Default servlet to false). This JSP could then be requested and any code it contained would be executed by the server.

2.0    Impact
Exploitation of this vulnerability may allow an attacker to take control of an affected server.

3.0 Affected Products
The affected products of Apache Tomcat are as listed below:
  • Apache Tomcat 9.0.0.M1 to 9.0.0
  • Apache Tomcat 8.5.0 to 8.5.22
  • Apache Tomcat 8.0.0.RC1 to 8.0.46
  • Apache Tomcat 7.0.0 to 7.0.81

4.0 Recommendations
MyCERT recommends all users of the affected versions should apply one of the following mitigations:

  • Upgrade to Apache Tomcat 9.0.1 or later
  • Upgrade to Apache Tomcat 8.5.23 or later
  • Upgrade to Apache Tomcat 8.0.47 or later
  • Upgrade to Apache Tomcat 7.0.82 or later

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practice security policies to determine which updates should be applied.

For further enquiries, please contact MyCERT through the following channels:
E-mail: or
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442
Mobile: +60 19 2665850 (24x7 call incident reporting)
Business Hours: Mon - Fri 09:00 AM - 18:00 PM MYT
Cyber999 Mobile Apps: IOS Users or Android Users

5.0    References