ID CVE-2017-15706
Summary As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected.
References
Vulnerable Configurations
  • Apache Software Foundation Tomcat 7.0.79
    cpe:2.3:a:apache:tomcat:7.0.79
  • Apache Software Foundation Tomcat 7.0.80
    cpe:2.3:a:apache:tomcat:7.0.80
  • Apache Software Foundation Tomcat 7.0.81
    cpe:2.3:a:apache:tomcat:7.0.81
  • Apache Software Foundation Tomcat 7.0.82
    cpe:2.3:a:apache:tomcat:7.0.82
  • Apache Software Foundation Tomcat 8.0.47
    cpe:2.3:a:apache:tomcat:8.0.47
  • Apache Software Foundation Tomcat 8.5.23
    cpe:2.3:a:apache:tomcat:8.5.23
  • Apache Software Foundation Tomcat 9.0.0 M22
    cpe:2.3:a:apache:tomcat:9.0.0:m22
  • Apache Software Foundation Tomcat 9.0.0 M25
    cpe:2.3:a:apache:tomcat:9.0.0:m25
  • Apache Software Foundation Tomcat 9.0.0 M26
    cpe:2.3:a:apache:tomcat:9.0.0:m26
  • Apache Software Foundation Tomcat 9.0.0 M27
    cpe:2.3:a:apache:tomcat:9.0.0:m27
  • Apache Software Foundation Tomcat 9.0.0 M3
    cpe:2.3:a:apache:tomcat:9.0.0:m3
  • Apache Software Foundation Tomcat 9.0.0 M4
    cpe:2.3:a:apache:tomcat:9.0.0:m4
  • Apache Software Foundation Tomcat 9.0.0 M6
    cpe:2.3:a:apache:tomcat:9.0.0:m6
  • Apache Software Foundation Tomcat 9.0.0 M8
    cpe:2.3:a:apache:tomcat:9.0.0:m8
  • Apache Software Foundation Tomcat 9.0.0 M9
    cpe:2.3:a:apache:tomcat:9.0.0:m9
  • Apache Software Foundation Tomcat 9.0.1
    cpe:2.3:a:apache:tomcat:9.0.1
CVSS
Base: 5.0
Impact:
Exploitability:
CWE CWE-358
CAPEC
nessus via4
  • NASL family Web Servers
    NASL id TOMCAT_9_0_2.NASL
    description The version of Apache Tomcat installed on the remote host is 9.0.x prior to 9.0.2. It is, therefore, affected by a flaw that is due to the program containing an incorrect description for the CGI Servlet search algorithm, which may cause an administrator to leave the system in an insecure state.
    last seen 2019-02-21
    modified 2018-08-01
    plugin id 106713
    published 2018-02-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106713
    title Apache Tomcat 9.0.0.M22 < 9.0.2 Insecure CGI Servlet Search Algorithm Description Weakness
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-325.NASL
    description This update for tomcat fixes the following issues : Security issues fixed : - CVE-2018-1305: Fixed late application of security constraints that can lead to resource exposure for unauthorised users (bsc#1082481). - CVE-2018-1304: Fixed incorrect handling of empty string URL in security constraints that can lead to unitended exposure of resources (bsc#1082480). - CVE-2017-15706: Fixed incorrect documentation of CGI Servlet search algorithm that may lead to misconfiguration (bsc#1078677). This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen 2019-02-21
    modified 2018-07-13
    plugin id 108742
    published 2018-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108742
    title openSUSE Security Update : tomcat (openSUSE-2018-325)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-973.NASL
    description Incorrect documentation of CGI Servlet search algorithm may lead to misconfiguration : As part of the fix for bug 61201, the documentation for Apache Tomcat included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected. (CVE-2017-15706) Late application of security constraints can lead to resource exposure for unauthorised users : Security constraints defined by annotations of Servlets in Apache Tomcat were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. (CVE-2018-1305) Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources : The URL pattern of '' (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. (CVE-2018-1304)
    last seen 2019-02-21
    modified 2018-07-13
    plugin id 108598
    published 2018-03-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108598
    title Amazon Linux AMI : tomcat80 (ALAS-2018-973)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3665-1.NASL
    description It was discovered that Tomcat incorrectly handled being configured with HTTP PUTs enabled. A remote attacker could use this issue to upload a JSP file to the server and execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-12616, CVE-2017-12617) It was discovered that Tomcat contained incorrect documentation regarding description of the search algorithm used by the CGI Servlet to identify which script to execute. This issue only affected Ubuntu 17.10. (CVE-2017-15706) It was discovered that Tomcat incorrectly handled en empty string URL pattern in security constraint definitions. A remote attacker could possibly use this issue to gain access to web application resources, contrary to expectations. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-1304) It was discovered that Tomcat incorrectly handled applying certain security constraints. A remote attacker could possibly access certain resources, contrary to expectations. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-1305) It was discovered that the Tomcat CORS filter default settings were insecure and would enable 'supportsCredentials' for all origins, contrary to expectations. (CVE-2018-8014). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2019-02-07
    plugin id 110264
    published 2018-05-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110264
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : tomcat7, tomcat8 vulnerabilities (USN-3665-1)
  • NASL family Web Servers
    NASL id TOMCAT_8_5_24.NASL
    description The version of Apache Tomcat installed on the remote host is 8.5.x prior to 8.5.24. It is, therefore, affected by a flaw that is due to the program containing an incorrect description for the CGI Servlet search algorithm, which may cause an administrator to leave the system in an insecure state.
    last seen 2019-02-21
    modified 2018-08-01
    plugin id 106712
    published 2018-02-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106712
    title Apache Tomcat 8.5.16 < 8.5.24 Insecure CGI Servlet Search Algorithm Description Weakness
  • NASL family Web Servers
    NASL id TOMCAT_7_0_84.NASL
    description The version of Apache Tomcat installed on the remote host is 7.0.x prior to 7.0.84. It is, therefore, affected by a flaw that is due to the program containing an incorrect description for the CGI Servlet search algorithm, which may cause an administrator to leave the system in an insecure state.
    last seen 2019-02-21
    modified 2018-08-01
    plugin id 106710
    published 2018-02-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106710
    title Apache Tomcat 7.0.79 < 7.0.83 Insecure CGI Servlet Search Algorithm Description Weakness
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-947.NASL
    description Incorrect documentation of CGI Servlet search algorithm may lead to misconfiguration : As part of the fix for bug 61201, the documentation for Apache Tomcat included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected. (CVE-2017-15706)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 106692
    published 2018-02-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106692
    title Amazon Linux AMI : tomcat7 (ALAS-2018-947)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-0B48740047.NASL
    description This update includes a rebase from 8.0.47 to 8.0.49. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-03-05
    plugin id 106634
    published 2018-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106634
    title Fedora 27 : 1:tomcat (2018-0b48740047)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-959.NASL
    description Incorrect documentation of CGI Servlet search algorithm may lead to misconfiguration As part of the fix for bug 61201, the documentation for Apache Tomcat included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected. (CVE-2017-15706)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 106936
    published 2018-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106936
    title Amazon Linux AMI : tomcat8 (ALAS-2018-959)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-AC2E276C76.NASL
    description This update includes a rebase from 8.0.47 to 8.0.49. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-03-05
    plugin id 106914
    published 2018-02-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106914
    title Fedora 26 : 1:tomcat (2018-ac2e276c76)
  • NASL family Web Servers
    NASL id TOMCAT_8_0_48.NASL
    description The version of Apache Tomcat installed on the remote host is 8.0.x prior to 8.0.48. It is, therefore, affected by a flaw that is due to the program containing an incorrect description for the CGI Servlet search algorithm, which may cause an administrator to leave the system in an insecure state.
    last seen 2019-02-21
    modified 2018-08-01
    plugin id 106711
    published 2018-02-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106711
    title Apache Tomcat 8.0.45 < 8.0.48 Insecure CGI Servlet Search Algorithm Description Weakness
refmap via4
bid 103069
mlist
  • [announce] 20180131 [SECURITY] CVE-2017-15706 Apache Tomcat Incorrectly documented CGI search algorithm
  • [tomcat-dev] 20190319 svn commit: r1855831 [24/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
  • [tomcat-dev] 20190325 svn commit: r1856174 [23/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
  • [tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
  • [tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/
  • [tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
  • [tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
  • [tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
ubuntu USN-3665-1
Last major update 31-01-2018 - 09:29
Published 31-01-2018 - 09:29
Last modified 15-04-2019 - 12:31
Back to Top