Exploited
high
8.1
CWE
434
Advisory Published
CVE Published
Advisory Published
Updated

CVE-2017-12617: Apache Tomcat Remote Code Execution Vulnerability

First published: Thu Sep 21 2017(Updated: )

Last updated 21 February 2025

Credit: security@apache.org security@apache.org security@apache.org

Affected SoftwareAffected VersionHow to fix
Apache Tomcat=7.0.0
Apache Tomcat=7.0.1
Apache Tomcat=7.0.2
Apache Tomcat=7.0.2-beta
Apache Tomcat=7.0.3
Apache Tomcat=7.0.4
Apache Tomcat=7.0.4-beta
Apache Tomcat=7.0.5
Apache Tomcat=7.0.5-beta
Apache Tomcat=7.0.6
Apache Tomcat=7.0.7
Apache Tomcat=7.0.8
Apache Tomcat=7.0.9
Apache Tomcat=7.0.10
Apache Tomcat=7.0.11
Apache Tomcat=7.0.12
Apache Tomcat=7.0.13
Apache Tomcat=7.0.14
Apache Tomcat=7.0.15
Apache Tomcat=7.0.16
Apache Tomcat=7.0.17
Apache Tomcat=7.0.18
Apache Tomcat=7.0.19
Apache Tomcat=7.0.20
Apache Tomcat=7.0.21
Apache Tomcat=7.0.22
Apache Tomcat=7.0.23
Apache Tomcat=7.0.24
Apache Tomcat=7.0.25
Apache Tomcat=7.0.26
Apache Tomcat=7.0.27
Apache Tomcat=7.0.28
Apache Tomcat=7.0.29
Apache Tomcat=7.0.30
Apache Tomcat=7.0.31
Apache Tomcat=7.0.32
Apache Tomcat=7.0.33
Apache Tomcat=7.0.34
Apache Tomcat=7.0.35
Apache Tomcat=7.0.36
Apache Tomcat=7.0.37
Apache Tomcat=7.0.38
Apache Tomcat=7.0.39
Apache Tomcat=7.0.40
Apache Tomcat=7.0.41
Apache Tomcat=7.0.42
Apache Tomcat=7.0.43
Apache Tomcat=7.0.44
Apache Tomcat=7.0.45
Apache Tomcat=7.0.46
Apache Tomcat=7.0.47
Apache Tomcat=7.0.48
Apache Tomcat=7.0.49
Apache Tomcat=7.0.50
Apache Tomcat=7.0.51
Apache Tomcat=7.0.54
Apache Tomcat=7.0.55
Apache Tomcat=7.0.56
Apache Tomcat=7.0.57
Apache Tomcat=7.0.58
Apache Tomcat=7.0.59
Apache Tomcat=7.0.60
Apache Tomcat=7.0.61
Apache Tomcat=7.0.62
Apache Tomcat=7.0.63
Apache Tomcat=7.0.64
Apache Tomcat=7.0.65
Apache Tomcat=7.0.66
Apache Tomcat=7.0.67
Apache Tomcat=7.0.68
Apache Tomcat=7.0.69
Apache Tomcat=7.0.70
Apache Tomcat=7.0.71
Apache Tomcat=7.0.72
Apache Tomcat=7.0.73
Apache Tomcat=7.0.74
Apache Tomcat=7.0.75
Apache Tomcat=7.0.76
Apache Tomcat=7.0.77
Apache Tomcat=7.0.79
Apache Tomcat=7.0.80
Apache Tomcat=7.0.81
Apache Tomcat=8.0.0-rc1
Apache Tomcat=8.0.0-rc10
Apache Tomcat=8.0.0-rc2
Apache Tomcat=8.0.0-rc5
Apache Tomcat=8.0.1
Apache Tomcat=8.0.2
Apache Tomcat=8.0.4
Apache Tomcat=8.0.6
Apache Tomcat=8.0.7
Apache Tomcat=8.0.9
Apache Tomcat=8.0.10
Apache Tomcat=8.0.11
Apache Tomcat=8.0.12
Apache Tomcat=8.0.13
Apache Tomcat=8.0.14
Apache Tomcat=8.0.15
Apache Tomcat=8.0.16
Apache Tomcat=8.0.17
Apache Tomcat=8.0.18
Apache Tomcat=8.0.19
Apache Tomcat=8.0.20
Apache Tomcat=8.0.21
Apache Tomcat=8.0.22
Apache Tomcat=8.0.23
Apache Tomcat=8.0.24
Apache Tomcat=8.0.25
Apache Tomcat=8.0.26
Apache Tomcat=8.0.27
Apache Tomcat=8.0.28
Apache Tomcat=8.0.29
Apache Tomcat=8.0.30
Apache Tomcat=8.0.31
Apache Tomcat=8.0.32
Apache Tomcat=8.0.33
Apache Tomcat=8.0.34
Apache Tomcat=8.0.35
Apache Tomcat=8.0.36
Apache Tomcat=8.0.37
Apache Tomcat=8.0.38
Apache Tomcat=8.0.39
Apache Tomcat=8.0.40
Apache Tomcat=8.0.41
Apache Tomcat=8.0.42
Apache Tomcat=8.0.43
Apache Tomcat=8.0.44
Apache Tomcat=8.0.45
Apache Tomcat=8.0.46
Apache Tomcat=8.5.0
Apache Tomcat=8.5.1
Apache Tomcat=8.5.2
Apache Tomcat=8.5.3
Apache Tomcat=8.5.4
Apache Tomcat=8.5.5
Apache Tomcat=8.5.6
Apache Tomcat=8.5.7
Apache Tomcat=8.5.8
Apache Tomcat=8.5.9
Apache Tomcat=8.5.10
Apache Tomcat=8.5.11
Apache Tomcat=8.5.12
Apache Tomcat=8.5.13
Apache Tomcat=8.5.14
Apache Tomcat=8.5.15
Apache Tomcat=8.5.16
Apache Tomcat=8.5.17
Apache Tomcat=8.5.18
Apache Tomcat=8.5.19
Apache Tomcat=8.5.20
Apache Tomcat=8.5.21
Apache Tomcat=8.5.22
Apache Tomcat=9.0.0
Apache Tomcat=9.0.0-m1
Apache Tomcat=9.0.0-m10
Apache Tomcat=9.0.0-m11
Apache Tomcat=9.0.0-m12
Apache Tomcat=9.0.0-m13
Apache Tomcat=9.0.0-m14
Apache Tomcat=9.0.0-m15
Apache Tomcat=9.0.0-m16
Apache Tomcat=9.0.0-m17
Apache Tomcat=9.0.0-m18
Apache Tomcat=9.0.0-m19
Apache Tomcat=9.0.0-m2
Apache Tomcat=9.0.0-m20
Apache Tomcat=9.0.0-m21
Apache Tomcat=9.0.0-m22
Apache Tomcat=9.0.0-m3
Apache Tomcat=9.0.0-m4
Apache Tomcat=9.0.0-m5
Apache Tomcat=9.0.0-m6
Apache Tomcat=9.0.0-m7
Apache Tomcat=9.0.0-m8
Apache Tomcat=9.0.0-m9
debian/tomcat7
debian/tomcat8.0
redhat/tomcat<7.0.82
7.0.82
redhat/tomcat<8.0.47
8.0.47
redhat/tomcat<8.5.23
8.5.23
maven/org.apache.tomcat:tomcat>=8.0.0RC1<=8.0.46
8.0.47
maven/org.apache.tomcat:tomcat>=7.0.0<=7.0.81
7.0.82
maven/org.apache.tomcat:tomcat>=8.5.0<=8.5.22
8.5.23
maven/org.apache.tomcat:tomcat>=9.0.0.M1<=9.0.0M27
9.0.1
Apache Tomcat
Apache Tomcat>=7.0.0<7.0.82
Apache Tomcat>=8.0<8.0.47
Apache Tomcat>=8.5.0<8.5.23
Apache Tomcat>=9.0.0<9.0.1
Ubuntu=12.04
Ubuntu=16.04
Ubuntu=17.10
Ubuntu=18.04
Oracle Agile PLM=9.3.3
Oracle Agile PLM=9.3.4
Oracle Agile PLM=9.3.5
Oracle Agile PLM=9.3.6
Oracle Communications Instant Messaging Server=10.0.1
Oracle Endeca Information Discovery Integrator=3.1.0
Oracle Endeca Information Discovery Integrator=3.2.0
Oracle Enterprise Manager for MySQL=12.1.0.4.0
Oracle Financial Services Analytical Applications Infrastructure>=7.3.3.0.0<=7.3.5.3.0
Oracle Financial Services Analytical Applications Infrastructure>=8.0.0.0.0<=8.0.9.0.0
Oracle Fusion Middleware Platform=12.2.1.2.0
Oracle Fusion Middleware Platform=12.2.1.3.0
Oracle Health Sciences Empirica Inspections=1.0.1.1
Oracle Hospitality Guest Access=4.2.0
Oracle Hospitality Guest Access=4.2.1
oracle instantis enterprisetrack=17.1
oracle instantis enterprisetrack=17.2
Oracle GoldenGate Management Pack=11.2.1.0.13
oracle micros lucas=2.9.5
Oracle MICROS Retail XBRi Loss Prevention=10.0.1
Oracle MICROS Retail XBRi Loss Prevention=10.5.0
Oracle MICROS Retail XBRi Loss Prevention=10.6.0
Oracle MICROS Retail XBRi Loss Prevention=10.7.0
Oracle MICROS Retail XBRi Loss Prevention=10.8.0
Oracle MICROS Retail XBRi Loss Prevention=10.8.1
MySQL Enterprise Monitor<=3.3.6.3293
MySQL Enterprise Monitor>=3.4.0<=3.4.4.4226
MySQL Enterprise Monitor>=4.0.0<=4.0.0.5135
Oracle Retail Advanced Inventory Planning=13.2
Oracle Retail Advanced Inventory Planning=13.4
Oracle Retail Advanced Inventory Planning=14.1
Oracle Retail Advanced Inventory Planning=15.0
Oracle Retail Back Office=14.0.4
Oracle Retail Back Office=14.1.3
Oracle Retail Central Office=14.0.4
Oracle Retail Central Office=14.1.3
Oracle Retail Convenience and Fuel POS Software=2.1.132
Oracle Retail EFTLink=1.1.124
Oracle Retail EFTLink=15.0.1
Oracle Retail EFTLink=16.0.2
Oracle Retail Insights Cloud Service Suite=14.0
Oracle Retail Insights Cloud Service Suite=14.1
Oracle Retail Insights Cloud Service Suite=15.0
Oracle Retail Insights Cloud Service Suite=16.0
Oracle Retail Invoice Matching=12.0
Oracle Retail Invoice Matching=13.0
Oracle Retail Invoice Matching=13.1
Oracle Retail Invoice Matching=13.2
Oracle Retail Invoice Matching=14.0
Oracle Retail Invoice Matching=14.1
Oracle Retail Invoice Matching=15.0
Oracle Retail Invoice Matching=16.0
Oracle Retail Order Broker=5.0
Oracle Retail Order Broker=5.1
Oracle Retail Order Broker=5.2
Oracle Retail Order Broker=15.0
Oracle Retail Order Broker=16.0
Oracle Retail Order Management System=4.0
Oracle Retail Order Management System=4.5
Oracle Retail Order Management System=4.7
Oracle Retail Order Management System=5.0
Oracle Retail Point-of-Sale=14.0.4
Oracle Retail Point-of-Sale=14.1.3
Oracle Retail Pricing=12.0
Oracle Retail Pricing=13.0
Oracle Retail Pricing=13.1
Oracle Retail Pricing=13.2
Oracle Retail Pricing=14.0
Oracle Retail Pricing=14.1
Oracle Retail Pricing=15.0
Oracle Retail Pricing=16.0
Oracle Retail Returns Management=2.3.8
Oracle Retail Returns Management=2.4.9
Oracle Retail Returns Management=14.0.4
Oracle Retail Returns Management=14.1.3
Oracle Retail Store Inventory Management=12.0.12
Oracle Retail Store Inventory Management=13.0.7
Oracle Retail Store Inventory Management=13.1.9
Oracle Retail Store Inventory Management=13.2.9
Oracle Retail Store Inventory Management=14.0.4
Oracle Retail Store Inventory Management=14.1.3
Oracle Retail Store Inventory Management=15.0.2
Oracle Retail Store Inventory Management=16.0.1
Oracle Retail Xstore Office Cloud Service=6.0.11
Oracle Retail Xstore Office Cloud Service=7.0.6
Oracle Retail Xstore Office Cloud Service=7.1.6
Oracle Retail Xstore Office Cloud Service=15.0.1
Oracle Transportation Management=6.3.1
Oracle Transportation Management=6.3.2
Oracle Transportation Management=6.3.3
Oracle Transportation Management=6.3.4
Oracle Transportation Management=6.3.5
Oracle Transportation Management=6.3.6
Oracle Transportation Management=6.3.7
Oracle Tuxedo System and Applications Monitor=12.1.3.0.0
Oracle WebCenter Sites=11.1.1.8.0
Oracle Workload Manager=12.2.0.1
Debian=7.0
netapp active iq unified manager windows>=7.3
NetApp Active IQ Unified Manager for VMware vSphere>=9.5
NetApp OnCommand Balance
NetApp OnCommand Insight
NetApp OnCommand Shift
NetApp OnCommand Workflow Automation
NetApp SnapCenter
NetApp Element Plug-in for vCenter Server
Red Hat Fuse=1.0
redhat jboss enterprise application platform=6.0.0
redhat jboss enterprise application platform=6.4.0
Red Hat JBoss Enterprise Web Server=2.0.0
Red Hat JBoss Enterprise Web Server=3.0.0
Red Hat JBoss Enterprise Web Server
redhat enterprise Linux desktop=6.0
redhat enterprise Linux desktop=7.0
redhat enterprise Linux eus=7.4
redhat enterprise Linux eus=7.5
redhat enterprise Linux eus=7.6
redhat enterprise Linux eus=7.7
Red Hat Enterprise Linux=7.4
Red Hat Enterprise Linux=7.5
Red Hat Enterprise Linux=7.6
Red Hat Enterprise Linux=7.7
redhat enterprise Linux for ibm z systems=6.0_s390x
redhat enterprise Linux for ibm z systems=7.0_s390x
redhat enterprise Linux for ibm z systems eus=7.4_s390x
redhat enterprise Linux for ibm z systems eus=7.5_s390x
redhat enterprise Linux for ibm z systems eus=7.6_s390x
redhat enterprise Linux for ibm z systems eus=7.7_s390x
redhat enterprise Linux for power big endian=6.0_ppc64
redhat enterprise Linux for power big endian=7.0_ppc64
redhat enterprise Linux for power big endian eus=7.4_ppc64
redhat enterprise Linux for power big endian eus=7.5_ppc64
redhat enterprise Linux for power big endian eus=7.6_ppc64
redhat enterprise Linux for power big endian eus=7.7_ppc64
redhat enterprise Linux for power little endian=7.0
redhat enterprise Linux for power little endian eus=7.4_ppc64le
redhat enterprise Linux for power little endian eus=7.5_ppc64le
redhat enterprise Linux for power little endian eus=7.6_ppc64le
redhat enterprise Linux for power little endian eus=7.7_ppc64le
redhat enterprise Linux server=6.0
redhat enterprise Linux server=7.0
redhat enterprise Linux server aus=7.4
redhat enterprise Linux server aus=7.6
redhat enterprise Linux server aus=7.7
redhat enterprise Linux server tus=7.4
redhat enterprise Linux server tus=7.6
redhat enterprise Linux server tus=7.7
redhat enterprise Linux workstation=6.0
redhat enterprise Linux workstation=7.0

Remedy

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

Remedy

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Remedy

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Remedy

https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Remedy

https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E

Remedy

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2017-12617?

    The severity of CVE-2017-12617 is classified as critical due to the ability to upload JSP files and execute arbitrary code.

  • How do I fix CVE-2017-12617?

    To fix CVE-2017-12617, upgrade Apache Tomcat to version 7.0.82, 8.0.47, 8.5.23, or 9.0.1, depending on your installed version.

  • Which versions of Apache Tomcat are affected by CVE-2017-12617?

    Affected versions of Apache Tomcat include 7.0.0 to 7.0.81, 8.0.0.RC1 to 8.0.46, 8.5.0 to 8.5.22, and 9.0.0 up to 9.0.0.M1.

  • What type of vulnerability is CVE-2017-12617?

    CVE-2017-12617 is a file upload vulnerability that allows for remote code execution.

  • Can I prevent CVE-2017-12617 by disabling HTTP PUT?

    Disabling HTTP PUT can mitigate the risk of CVE-2017-12617; however, the recommended action is to update to a patched version.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203