Apache Tomcat JMX Remote Lifecycle Listener Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Apache Tomcat versions prior to 6.0.48, 7.x prior to 7.0.73, 8.x prior to 8.0.39, 8.5.x prior to 8.5.7, and 9.x prior to 9.0.0.M12. The vulnerability is triggered when the JmxRemoteLifecycleListener is used and an attacker can access the JMX ports. This issue arises because the listener was not updated to align with an Oracle patch that affected credential types, leaving certain Tomcat installations vulnerable to remote code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected Tomcat server.

Reproduction

To reproduce this vulnerability, deploy a web application on Apache Tomcat that uses the JmxRemoteLifecycleListener. Ensure that the JMX ports are accessible and that the application is running on a vulnerable version of Tomcat. An attacker can then upload a malicious file to the server via a crafted HTTP PUT request. Once the file is uploaded, the attacker can execute it by sending a request that triggers the execution of the uploaded file as a JSP.

Remediation

Users can upgrade to Apache Tomcat versions 6.0.48, 7.0.73, 8.0.39, 8.5.7, or 9.0.0.M12. For those using Tomcat 8.5.x, it is recommended to review the JMX Remote Lifecycle Listener configuration and disable it if not needed.