📄 Description (English)
Apache Tomcat on Windows Remote Code Execution Vulnerability — When running Apache Tomcat on Windows with HTTP PUTs enabled, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
🤖 AI Executive Summary
CVE-2017-12615 is a critical remote code execution vulnerability in Apache Tomcat running on Windows systems with HTTP PUT method enabled. An attacker can upload a malicious JSP file via a specially crafted PUT request, which is then executed by the server, leading to full system compromise. This vulnerability has a CVSS score of 9.0, known public exploits are available, and it has been actively exploited in the wild. Despite being discovered in 2017, unpatched Tomcat instances remain a significant risk, particularly in legacy environments.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 8, 2026 02:48
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations running Apache Tomcat on Windows servers. Government portals (NCA-regulated entities), banking web applications (SAMA-regulated institutions), healthcare systems, and energy sector SCADA/web interfaces (including ARAMCO and subsidiary systems) are at high risk. Saudi telecom providers (STC, Mobily, Zain) hosting customer-facing portals on Tomcat are also exposed. Given the prevalence of Tomcat in Saudi enterprise environments for e-government services (Absher, Tawakkalna backends, ministry portals) and the availability of public exploits, this vulnerability could enable attackers to gain full control of web servers, exfiltrate sensitive citizen data, or pivot into internal networks. Legacy systems in Saudi organizations that have not been updated since 2017 are particularly vulnerable.
🏢 Affected Saudi Sectors
Government
Banking
Energy
Healthcare
Telecommunications
Education
Retail
Transportation
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all Apache Tomcat instances running on Windows across your environment using asset discovery tools
2. Disable HTTP PUT method immediately if not required by setting 'readonly' parameter to 'true' in the default servlet configuration (web.xml)
3. Implement WAF rules to block PUT requests containing .jsp extensions or trailing special characters
Patching Guidance:
4. Upgrade Apache Tomcat to patched versions: 7.0.81+, 8.0.46+, 8.5.22+, or 9.0.1+
5. For latest security, upgrade to the most current stable release of Tomcat
Compensating Controls:
6. Restrict network access to Tomcat management interfaces using firewall rules
7. Implement file integrity monitoring on Tomcat webapps directories to detect unauthorized JSP uploads
8. Deploy IDS/IPS signatures for CVE-2017-12615 exploitation attempts
9. Run Tomcat with least-privilege accounts, not as SYSTEM or Administrator
Detection Rules:
10. Monitor HTTP PUT requests to Tomcat servers, especially those targeting .jsp, .jspx files or using trailing spaces/slashes
11. Alert on new .jsp file creation in webapps directories
12. Search logs for patterns: PUT requests with filenames ending in %20, ::$DATA, or trailing slash
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع خوادم Apache Tomcat العاملة على Windows في بيئتكم باستخدام أدوات اكتشاف الأصول
2. تعطيل طريقة HTTP PUT فوراً إذا لم تكن مطلوبة عبر ضبط معامل 'readonly' إلى 'true' في إعدادات السيرفلت الافتراضي (web.xml)
3. تطبيق قواعد جدار حماية تطبيقات الويب لحظر طلبات PUT التي تحتوي على امتدادات .jsp أو أحرف خاصة
إرشادات التحديث:
4. ترقية Apache Tomcat إلى الإصدارات المصححة: 7.0.81+ أو 8.0.46+ أو 8.5.22+ أو 9.0.1+
5. للحصول على أحدث الحماية، الترقية إلى أحدث إصدار مستقر من Tomcat
الضوابط التعويضية:
6. تقييد الوصول الشبكي لواجهات إدارة Tomcat باستخدام قواعد جدار الحماية
7. تطبيق مراقبة سلامة الملفات على مجلدات تطبيقات Tomcat لاكتشاف رفع ملفات JSP غير المصرح بها
8. نشر توقيعات أنظمة كشف ومنع التسلل لمحاولات استغلال CVE-2017-12615
9. تشغيل Tomcat بحسابات ذات صلاحيات محدودة وليس كمسؤول نظام
قواعد الكشف:
10. مراقبة طلبات HTTP PUT لخوادم Tomcat خاصة تلك التي تستهدف ملفات .jsp أو .jspx
11. التنبيه عند إنشاء ملفات .jsp جديدة في مجلدات التطبيقات
12. البحث في السجلات عن أنماط طلبات PUT بأسماء ملفات تنتهي بـ %20 أو ::$DATA أو شرطة مائلة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2-3-1 (Patch Management)
ECC 2-5-1 (Web Application Security)
ECC 2-2-1 (Vulnerability Management)
ECC 2-6-1 (Security Monitoring and Event Management)
ECC 2-4-1 (Network Security)
🔵 SAMA CSF
3.3.3 (Patch Management)
3.3.5 (Vulnerability Management)
3.4.1 (Security Event Monitoring)
3.3.7 (Web Application Security)
3.1.3 (Asset Management)
🟡 ISO 27001:2022
A.8.8 (Management of Technical Vulnerabilities)
A.8.9 (Configuration Management)
A.8.16 (Monitoring Activities)
A.8.25 (Secure Development Life Cycle)
A.8.28 (Secure Coding)
🟣 PCI DSS v4.0
6.3.3 (Patching Security Vulnerabilities)
6.4 (Public-Facing Web Application Security)
11.3 (Penetration Testing)
10.6 (Review Logs and Security Events)
2.2 (System Configuration Standards)
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Apache:Tomcat