Skip Ribbon Commands
Skip to main content
Computer Emergency Response Team of Mauritius (CERT-MU)

VN-2017-84


Apache Tomcat Default Servlet Error Handling Bug May Let Remote Users Bypass HTTP Method Restrictions on the Target Error Page
Severity Rating: Medium
Systems Affected:
  • Apache Tomcat server versions 7.0.0 to 7.0.77, 8.0.0.RC1 to 8.0.43, 8.5.0 to 8.5.14, 9.0.0.M1 to 9.0.0.M20
Description
A vulnerability has been reported in Apache Tomcat and it can be exploited by remote attackers to bypass security controls on the target system. The vulnerability exists because the default Servlet error page mechanism does not properly handle certain HTTP request methods for static error pages. As a result, a remote user may be able to bypass HTTP method restrictions and cause unexpected actions to occur for static error pages, potentially including the deletion or replacement of the target error page.
 
Solution
Users are advised to apply updates.
More information is available on:
 
Vendor Information
Apache Tomcat
 
References
Security Tracker
 
Tomcat Apache
 
 
 
Contact Information
 
Postal address
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street
Port Louis