Exploited
high
8.1
CWE
434
Advisory Published
CVE Published
Advisory Published
Updated

CVE-2017-12617: Apache Tomcat Remote Code Execution Vulnerability

First published: Thu Sep 21 2017(Updated: )

Last updated 21 February 2025

Credit: security@apache.org security@apache.org security@apache.org

Affected SoftwareAffected VersionHow to fix
debian/tomcat7
debian/tomcat8.0
redhat/tomcat<7.0.82
7.0.82
redhat/tomcat<8.0.47
8.0.47
redhat/tomcat<8.5.23
8.5.23
maven/org.apache.tomcat:tomcat>=8.0.0RC1<=8.0.46
8.0.47
maven/org.apache.tomcat:tomcat>=7.0.0<=7.0.81
7.0.82
maven/org.apache.tomcat:tomcat>=8.5.0<=8.5.22
8.5.23
maven/org.apache.tomcat:tomcat>=9.0.0.M1<=9.0.0M27
9.0.1
Tomcat
Tomcat=7.0.0
Tomcat=7.0.1
Tomcat=7.0.2
Tomcat=7.0.2-beta
Tomcat=7.0.3
Tomcat=7.0.4
Tomcat=7.0.4-beta
Tomcat=7.0.5
Tomcat=7.0.5-beta
Tomcat=7.0.6
Tomcat=7.0.7
Tomcat=7.0.8
Tomcat=7.0.9
Tomcat=7.0.10
Tomcat=7.0.11
Tomcat=7.0.12
Tomcat=7.0.13
Tomcat=7.0.14
Tomcat=7.0.15
Tomcat=7.0.16
Tomcat=7.0.17
Tomcat=7.0.18
Tomcat=7.0.19
Tomcat=7.0.20
Tomcat=7.0.21
Tomcat=7.0.22
Tomcat=7.0.23
Tomcat=7.0.24
Tomcat=7.0.25
Tomcat=7.0.26
Tomcat=7.0.27
Tomcat=7.0.28
Tomcat=7.0.29
Tomcat=7.0.30
Tomcat=7.0.31
Tomcat=7.0.32
Tomcat=7.0.33
Tomcat=7.0.34
Tomcat=7.0.35
Tomcat=7.0.36
Tomcat=7.0.37
Tomcat=7.0.38
Tomcat=7.0.39
Tomcat=7.0.40
Tomcat=7.0.41
Tomcat=7.0.42
Tomcat=7.0.43
Tomcat=7.0.44
Tomcat=7.0.45
Tomcat=7.0.46
Tomcat=7.0.47
Tomcat=7.0.48
Tomcat=7.0.49
Tomcat=7.0.50
Tomcat=7.0.51
Tomcat=7.0.54
Tomcat=7.0.55
Tomcat=7.0.56
Tomcat=7.0.57
Tomcat=7.0.58
Tomcat=7.0.59
Tomcat=7.0.60
Tomcat=7.0.61
Tomcat=7.0.62
Tomcat=7.0.63
Tomcat=7.0.64
Tomcat=7.0.65
Tomcat=7.0.66
Tomcat=7.0.67
Tomcat=7.0.68
Tomcat=7.0.69
Tomcat=7.0.70
Tomcat=7.0.71
Tomcat=7.0.72
Tomcat=7.0.73
Tomcat=7.0.74
Tomcat=7.0.75
Tomcat=7.0.76
Tomcat=7.0.77
Tomcat=7.0.79
Tomcat=7.0.80
Tomcat=7.0.81
Tomcat=8.0.0-rc1
Tomcat=8.0.0-rc10
Tomcat=8.0.0-rc2
Tomcat=8.0.0-rc5
Tomcat=8.0.1
Tomcat=8.0.2
Tomcat=8.0.4
Tomcat=8.0.6
Tomcat=8.0.7
Tomcat=8.0.9
Tomcat=8.0.10
Tomcat=8.0.11
Tomcat=8.0.12
Tomcat=8.0.13
Tomcat=8.0.14
Tomcat=8.0.15
Tomcat=8.0.16
Tomcat=8.0.17
Tomcat=8.0.18
Tomcat=8.0.19
Tomcat=8.0.20
Tomcat=8.0.21
Tomcat=8.0.22
Tomcat=8.0.23
Tomcat=8.0.24
Tomcat=8.0.25
Tomcat=8.0.26
Tomcat=8.0.27
Tomcat=8.0.28
Tomcat=8.0.29
Tomcat=8.0.30
Tomcat=8.0.31
Tomcat=8.0.32
Tomcat=8.0.33
Tomcat=8.0.34
Tomcat=8.0.35
Tomcat=8.0.36
Tomcat=8.0.37
Tomcat=8.0.38
Tomcat=8.0.39
Tomcat=8.0.40
Tomcat=8.0.41
Tomcat=8.0.42
Tomcat=8.0.43
Tomcat=8.0.44
Tomcat=8.0.45
Tomcat=8.0.46
Tomcat=8.5.0
Tomcat=8.5.1
Tomcat=8.5.2
Tomcat=8.5.3
Tomcat=8.5.4
Tomcat=8.5.5
Tomcat=8.5.6
Tomcat=8.5.7
Tomcat=8.5.8
Tomcat=8.5.9
Tomcat=8.5.10
Tomcat=8.5.11
Tomcat=8.5.12
Tomcat=8.5.13
Tomcat=8.5.14
Tomcat=8.5.15
Tomcat=8.5.16
Tomcat=8.5.17
Tomcat=8.5.18
Tomcat=8.5.19
Tomcat=8.5.20
Tomcat=8.5.21
Tomcat=8.5.22
Tomcat=9.0.0
Tomcat=9.0.0-m1
Tomcat=9.0.0-m10
Tomcat=9.0.0-m11
Tomcat=9.0.0-m12
Tomcat=9.0.0-m13
Tomcat=9.0.0-m14
Tomcat=9.0.0-m15
Tomcat=9.0.0-m16
Tomcat=9.0.0-m17
Tomcat=9.0.0-m18
Tomcat=9.0.0-m19
Tomcat=9.0.0-m2
Tomcat=9.0.0-m20
Tomcat=9.0.0-m21
Tomcat=9.0.0-m22
Tomcat=9.0.0-m3
Tomcat=9.0.0-m4
Tomcat=9.0.0-m5
Tomcat=9.0.0-m6
Tomcat=9.0.0-m7
Tomcat=9.0.0-m8
Tomcat=9.0.0-m9
Tomcat>=7.0.0<7.0.82
Tomcat>=8.0<8.0.47
Tomcat>=8.5.0<8.5.23
Tomcat>=9.0.0<9.0.1
Ubuntu=12.04
Ubuntu=16.04
Ubuntu=17.10
Ubuntu=18.04
Oracle Agile Product Lifecycle Management Framework=9.3.3
Oracle Agile Product Lifecycle Management Framework=9.3.4
Oracle Agile Product Lifecycle Management Framework=9.3.5
Oracle Agile Product Lifecycle Management Framework=9.3.6
Oracle Communications Instant Messaging Server=10.0.1
Oracle Endeca Information Discovery Integrator=3.1.0
Oracle Endeca Information Discovery Integrator=3.2.0
Oracle Enterprise Manager=12.1.0.4.0
Oracle Financial Services Analytical Applications Infrastructure>=7.3.3.0.0<=7.3.5.3.0
Oracle Financial Services Analytical Applications Infrastructure>=8.0.0.0.0<=8.0.9.0.0
Oracle Fusion Middleware Platform=12.2.1.2.0
Oracle Fusion Middleware Platform=12.2.1.3.0
Oracle Health Sciences Empirica Inspections=1.0.1.1
Oracle Hospitality Guest Access=4.2.0
Oracle Hospitality Guest Access=4.2.1
Oracle Instantis EnterpriseTrack=17.1
Oracle Instantis EnterpriseTrack=17.2
Oracle GoldenGate=11.2.1.0.13
Oracle Micros Lucas=2.9.5
Oracle MICROS Retail XBRi Loss Prevention=10.0.1
Oracle MICROS Retail XBRi Loss Prevention=10.5.0
Oracle MICROS Retail XBRi Loss Prevention=10.6.0
Oracle MICROS Retail XBRi Loss Prevention=10.7.0
Oracle MICROS Retail XBRi Loss Prevention=10.8.0
Oracle MICROS Retail XBRi Loss Prevention=10.8.1
MySQL Enterprise Monitor<=3.3.6.3293
MySQL Enterprise Monitor>=3.4.0<=3.4.4.4226
MySQL Enterprise Monitor>=4.0.0<=4.0.0.5135
Oracle Retail Advanced Inventory Planning=13.2
Oracle Retail Advanced Inventory Planning=13.4
Oracle Retail Advanced Inventory Planning=14.1
Oracle Retail Advanced Inventory Planning=15.0
Oracle Retail Back Office=14.0.4
Oracle Retail Back Office=14.1.3
Oracle Retail Central Office=14.0.4
Oracle Retail Central Office=14.1.3
Oracle Retail Convenience Store Back Office=2.1.132
Oracle Retail EFTLink=1.1.124
Oracle Retail EFTLink=15.0.1
Oracle Retail EFTLink=16.0.2
Oracle Retail Insights Cloud Service Suite=14.0
Oracle Retail Insights Cloud Service Suite=14.1
Oracle Retail Insights Cloud Service Suite=15.0
Oracle Retail Insights Cloud Service Suite=16.0
Oracle Retail Invoice Matching=12.0
Oracle Retail Invoice Matching=13.0
Oracle Retail Invoice Matching=13.1
Oracle Retail Invoice Matching=13.2
Oracle Retail Invoice Matching=14.0
Oracle Retail Invoice Matching=14.1
Oracle Retail Invoice Matching=15.0
Oracle Retail Invoice Matching=16.0
Oracle Retail Order Broker=5.0
Oracle Retail Order Broker=5.1
Oracle Retail Order Broker=5.2
Oracle Retail Order Broker=15.0
Oracle Retail Order Broker=16.0
Oracle Retail Order Management System=4.0
Oracle Retail Order Management System=4.5
Oracle Retail Order Management System=4.7
Oracle Retail Order Management System=5.0
Oracle Retail Point-of-Sale=14.0.4
Oracle Retail Point-of-Sale=14.1.3
Oracle Retail Pricing=12.0
Oracle Retail Pricing=13.0
Oracle Retail Pricing=13.1
Oracle Retail Pricing=13.2
Oracle Retail Pricing=14.0
Oracle Retail Pricing=14.1
Oracle Retail Pricing=15.0
Oracle Retail Pricing=16.0
Oracle Retail Returns Management=2.3.8
Oracle Retail Returns Management=2.4.9
Oracle Retail Returns Management=14.0.4
Oracle Retail Returns Management=14.1.3
Oracle Retail Store Inventory Management=12.0.12
Oracle Retail Store Inventory Management=13.0.7
Oracle Retail Store Inventory Management=13.1.9
Oracle Retail Store Inventory Management=13.2.9
Oracle Retail Store Inventory Management=14.0.4
Oracle Retail Store Inventory Management=14.1.3
Oracle Retail Store Inventory Management=15.0.2
Oracle Retail Store Inventory Management=16.0.1
Oracle Retail Xstore Office Cloud Service=6.0.11
Oracle Retail Xstore Office Cloud Service=7.0.6
Oracle Retail Xstore Office Cloud Service=7.1.6
Oracle Retail Xstore Office Cloud Service=15.0.1
Oracle Transportation Execution=6.3.1
Oracle Transportation Execution=6.3.2
Oracle Transportation Execution=6.3.3
Oracle Transportation Execution=6.3.4
Oracle Transportation Execution=6.3.5
Oracle Transportation Execution=6.3.6
Oracle Transportation Execution=6.3.7
Oracle Tuxedo=12.1.3.0.0
Oracle WebCenter Sites=11.1.1.8.0
Oracle Workload Manager=12.2.0.1
Debian Linux=7.0
NetApp Active IQ Unified Manager>=7.3
NetApp Active IQ Unified Manager for VMware vSphere>=9.5
NetApp OnCommand Balance
NetApp OnCommand Insight
NetApp OnCommand Shift
NetApp OnCommand Workflow Automation
NetApp SnapCenter
NetApp Element Plug-in for vCenter Server
Red Hat Fuse=1.0
JBoss Enterprise Application Platform=6.0.0
JBoss Enterprise Application Platform=6.4.0
Red Hat JBoss Enterprise Web Server=2.0.0
Red Hat JBoss Enterprise Web Server=3.0.0
Red Hat JBoss Enterprise Web Server
Red Hat Enterprise Linux Desktop=6.0
Red Hat Enterprise Linux Desktop=7.0
Red Hat Enterprise Linux Server EUS=7.4
Red Hat Enterprise Linux Server EUS=7.5
Red Hat Enterprise Linux Server EUS=7.6
Red Hat Enterprise Linux Server EUS=7.7
Red Hat Enterprise Linux=7.4
Red Hat Enterprise Linux=7.5
Red Hat Enterprise Linux=7.6
Red Hat Enterprise Linux=7.7
Red Hat Enterprise Linux for IBM Z Systems=6.0_s390x
Red Hat Enterprise Linux for IBM Z Systems=7.0_s390x
Red Hat Enterprise Linux for IBM Z Systems (s390x)=7.4_s390x
Red Hat Enterprise Linux for IBM Z Systems (s390x)=7.5_s390x
Red Hat Enterprise Linux for IBM Z Systems (s390x)=7.6_s390x
Red Hat Enterprise Linux for IBM Z Systems (s390x)=7.7_s390x
Red Hat Enterprise Linux for Power, big endian=6.0_ppc64
Red Hat Enterprise Linux for Power, big endian=7.0_ppc64
Red Hat Enterprise Linux for Power, Big Endian EUS=7.4_ppc64
Red Hat Enterprise Linux for Power, Big Endian EUS=7.5_ppc64
Red Hat Enterprise Linux for Power, Big Endian EUS=7.6_ppc64
Red Hat Enterprise Linux for Power, Big Endian EUS=7.7_ppc64
Red Hat Enterprise Linux for Power, little endian=7.0
Red Hat Enterprise Linux for Power, little endian - Extended Update Support=7.4_ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support=7.5_ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support=7.6_ppc64le
Red Hat Enterprise Linux for Power, little endian - Extended Update Support=7.7_ppc64le
Red Hat Enterprise Linux Server=6.0
Red Hat Enterprise Linux Server=7.0
Red Hat Enterprise Linux Server=7.4
Red Hat Enterprise Linux Server=7.6
Red Hat Enterprise Linux Server=7.7
Red Hat Enterprise Linux Server=7.4
Red Hat Enterprise Linux Server=7.6
Red Hat Enterprise Linux Server=7.7
Red Hat Enterprise Linux Workstation=6.0
Red Hat Enterprise Linux Workstation=7.0
>=7.0.0<7.0.82
>=8.0<8.0.47
>=8.5.0<8.5.23
>=9.0.0<9.0.1
=12.04
=16.04
=17.10
=18.04
=9.3.3
=9.3.4
=9.3.5
=9.3.6
=10.0.1
=3.1.0
=3.2.0
=12.1.0.4.0
>=7.3.3.0.0<=7.3.5.3.0
>=8.0.0.0.0<=8.0.9.0.0
=12.2.1.2.0
=12.2.1.3.0
=1.0.1.1
=4.2.0
=4.2.1
=17.1
=17.2
=11.2.1.0.13
=2.9.5
=10.0.1
=10.5.0
=10.6.0
=10.7.0
=10.8.0
=10.8.1
<=3.3.6.3293
>=3.4.0<=3.4.4.4226
>=4.0.0<=4.0.0.5135
=13.2
=13.4
=14.1
=15.0
=14.0.4
=14.1.3
=14.0.4
=14.1.3
=2.1.132
=1.1.124
=15.0.1
=16.0.2
=14.0
=14.1
=15.0
=16.0
=12.0
=13.0
=13.1
=13.2
=14.0
=14.1
=15.0
=16.0
=5.0
=5.1
=5.2
=15.0
=16.0
=4.0
=4.5
=4.7
=5.0
=14.0.4
=14.1.3
=12.0
=13.0
=13.1
=13.2
=14.0
=14.1
=15.0
=16.0
=2.3.8
=2.4.9
=14.0.4
=14.1.3
=12.0.12
=13.0.7
=13.1.9
=13.2.9
=14.0.4
=14.1.3
=15.0.2
=16.0.1
=6.0.11
=7.0.6
=7.1.6
=15.0.1
=6.3.1
=6.3.2
=6.3.3
=6.3.4
=6.3.5
=6.3.6
=6.3.7
=12.1.3.0.0
=11.1.1.8.0
=12.2.0.1
=7.0
>=7.3
>=9.5
=1.0
=6.0.0
=6.4.0
=2.0.0
=3.0.0
=6.0
=7.0
=7.4
=7.5
=7.6
=7.7
=7.4
=7.5
=7.6
=7.7
=6.0_s390x
=7.0_s390x
=7.4_s390x
=7.5_s390x
=7.6_s390x
=7.7_s390x
=6.0_ppc64
=7.0_ppc64
=7.4_ppc64
=7.5_ppc64
=7.6_ppc64
=7.7_ppc64
=7.0
=7.4_ppc64le
=7.5_ppc64le
=7.6_ppc64le
=7.7_ppc64le
=6.0
=7.0
=7.4
=7.6
=7.7
=7.4
=7.6
=7.7
=6.0
=7.0

Remedy

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Remedy

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Remedy

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Remedy

https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E

Remedy

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2017-12617?

    The severity of CVE-2017-12617 is classified as critical due to the ability to upload JSP files and execute arbitrary code.

  • How do I fix CVE-2017-12617?

    To fix CVE-2017-12617, upgrade Apache Tomcat to version 7.0.82, 8.0.47, 8.5.23, or 9.0.1, depending on your installed version.

  • Which versions of Apache Tomcat are affected by CVE-2017-12617?

    Affected versions of Apache Tomcat include 7.0.0 to 7.0.81, 8.0.0.RC1 to 8.0.46, 8.5.0 to 8.5.22, and 9.0.0 up to 9.0.0.M1.

  • What type of vulnerability is CVE-2017-12617?

    CVE-2017-12617 is a file upload vulnerability that allows for remote code execution.

  • Can I prevent CVE-2017-12617 by disabling HTTP PUT?

    Disabling HTTP PUT can mitigate the risk of CVE-2017-12617; however, the recommended action is to update to a patched version.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203