📄 Description (English)
Apache Tomcat Remote Code Execution Vulnerability — When running Apache Tomcat, it is possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
🤖 AI Executive Summary
CVE-2017-12617 is a critical Remote Code Execution (RCE) vulnerability in Apache Tomcat that allows attackers to upload malicious JSP files via specially crafted PUT requests when the HTTP PUT method is enabled (readonly parameter set to false). The uploaded JSP file can then be executed on the server, granting full remote code execution capabilities. Public exploits are widely available, and this vulnerability has been actively exploited in the wild. Despite being from 2017, unpatched Tomcat instances remain a significant risk, particularly in legacy environments.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 8, 2026 02:49
🇸🇦 Saudi Arabia Impact Assessment
Apache Tomcat is extensively deployed across Saudi Arabian organizations in multiple critical sectors. Government portals and e-services (NCA-regulated entities) frequently use Tomcat as their application server. Banking and financial institutions under SAMA regulation use Tomcat for internal and customer-facing web applications. Saudi Aramco and energy sector companies use Tomcat in operational and enterprise IT environments. Telecom providers like STC and Mobily may have Tomcat instances in their service delivery platforms. Healthcare systems including NPHIES and hospital management systems may also be affected. The availability of public exploits and the prevalence of legacy Tomcat deployments in Saudi infrastructure make this a high-priority threat. Successful exploitation could lead to complete server compromise, data exfiltration, lateral movement, and potential disruption of critical national services.
🏢 Affected Saudi Sectors
Government
Banking
Energy
Telecom
Healthcare
Education
Retail
Transportation
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all Apache Tomcat instances across the organization using asset discovery tools
2. Check if the HTTP PUT method is enabled (readonly=false in web.xml DefaultServlet configuration)
3. Immediately disable the PUT method if not required by setting readonly=true
4. Block PUT requests at the WAF/reverse proxy level as a compensating control
PATCHING GUIDANCE:
5. Upgrade Apache Tomcat to patched versions: 9.0.1+, 8.5.23+, 8.0.47+, or 7.0.82+
6. If immediate patching is not possible, ensure readonly parameter is set to true (default)
7. Remove any unauthorized JSP files from the webapps directory
DETECTION RULES:
8. Monitor web server logs for PUT requests containing .jsp extensions
9. Implement IDS/IPS signatures for CVE-2017-12617 exploitation attempts
10. Alert on new JSP file creation in Tomcat webapps directories
11. Monitor for unusual outbound connections from Tomcat processes
12. Search for indicators: PUT requests with trailing '/' or encoded characters targeting .jsp files
COMPENSATING CONTROLS:
13. Implement network segmentation to limit Tomcat server exposure
14. Apply principle of least privilege to Tomcat service accounts
15. Enable Tomcat Security Manager to restrict JSP capabilities
16. Deploy application-layer firewall rules to block malicious PUT requests
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع خوادم Apache Tomcat في المنظمة باستخدام أدوات اكتشاف الأصول
2. التحقق مما إذا كان أسلوب HTTP PUT مُفعّلاً (readonly=false في إعدادات DefaultServlet في web.xml)
3. تعطيل أسلوب PUT فوراً إذا لم يكن مطلوباً بضبط readonly=true
4. حظر طلبات PUT على مستوى جدار حماية التطبيقات/الوكيل العكسي كإجراء تعويضي
إرشادات التحديث:
5. ترقية Apache Tomcat إلى الإصدارات المُصحّحة: 9.0.1+، 8.5.23+، 8.0.47+، أو 7.0.82+
6. إذا لم يكن التحديث الفوري ممكناً، تأكد من ضبط معامل readonly على true (الافتراضي)
7. إزالة أي ملفات JSP غير مصرح بها من مجلد webapps
قواعد الكشف:
8. مراقبة سجلات خادم الويب لطلبات PUT التي تحتوي على امتدادات .jsp
9. تطبيق توقيعات IDS/IPS لمحاولات استغلال CVE-2017-12617
10. التنبيه عند إنشاء ملفات JSP جديدة في مجلدات webapps
11. مراقبة الاتصالات الصادرة غير المعتادة من عمليات Tomcat
12. البحث عن المؤشرات: طلبات PUT مع '/' لاحقة أو أحرف مُشفّرة تستهدف ملفات .jsp
الضوابط التعويضية:
13. تطبيق تجزئة الشبكة للحد من تعرض خوادم Tomcat
14. تطبيق مبدأ الحد الأدنى من الصلاحيات لحسابات خدمة Tomcat
15. تفعيل مدير أمان Tomcat لتقييد قدرات JSP
16. نشر قواعد جدار حماية طبقة التطبيقات لحظر طلبات PUT الخبيثة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2-3-1 (Vulnerability Management)
ECC 2-3-4 (Patch Management)
ECC 2-5-1 (Web Application Security)
ECC 2-2-1 (Network Security)
ECC 2-6-1 (Security Monitoring and Event Management)
ECC 2-1-3 (Asset Management)
🔵 SAMA CSF
SAMA CSF 3.3.3 (Patch Management)
SAMA CSF 3.3.5 (Vulnerability Management)
SAMA CSF 3.3.7 (Web Application Security)
SAMA CSF 3.4.1 (Security Event Monitoring)
SAMA CSF 3.3.1 (Network Security Management)
SAMA CSF 3.1.3 (Asset Classification and Control)
🟡 ISO 27001:2022
A.8.8 (Management of Technical Vulnerabilities)
A.8.9 (Configuration Management)
A.8.20 (Network Security)
A.8.16 (Monitoring Activities)
A.8.28 (Secure Coding)
A.5.7 (Threat Intelligence)
🟣 PCI DSS v4.0
PCI DSS 6.3.3 (Patching Security Vulnerabilities)
PCI DSS 6.4 (Public-Facing Web Application Protection)
PCI DSS 6.2 (Develop Software Securely)
PCI DSS 11.3 (Vulnerability Scanning)
PCI DSS 10.6 (Review Logs and Security Events)
PCI DSS 2.2 (System Configuration Standards)
🔗 References & Sources 0
No references.
📦 Affected Products / CPE 1 entries
Apache:Tomcat