CVE-2013-4444 Remote Code Execution in Apache Tomcat




Spring by Pivotal

Versions Affected
  • Apache Tomcat 7.0.0 to 7.0.39 inclusive

In very limited circumstances, it was possible for an attacker to upload a malicious JSP to a Tomcat server and then trigger the execution of that JSP. While Remote Code Execution would normally be viewed as a critical vulnerability, the circumstances under which this is possible are, in the view of the Tomcat security team, sufficiently limited that this vulnerability is viewed as important.

For this attack to be possible all of the following requirements must be met:

A. Using Oracle Java 1.7.0 update 25 or earlier (or any other Java implementation where is vulnerable to null byte injection).

B. A web application must be deployed to a vulnerable version of Tomcat (see previous section).

C. The web application must use the Servlet 3.0 File Upload feature.

D. A file location within a deployed web application must be writeable by the user the Tomcat process is running as. The Tomcat security documentation recommends against this.

E. A custom listener for JMX connections (e.g. the JmxRemoteListener that is not enabled by default) must be configured and be able to load classes from Tomcat's common class loader (i.e. the custom JMX listener must be placed in Tomcat's lib directory).

F. The custom JMX listener must be bound to an address other than localhost for a remote attack (it is bound to localhost by default). If the custom JMX listener is bound to localhost, a local attack will still be possible.

Note that requirements B and C may be replaced with the following requirement:

G. A web application is deployed that uses Apache Commons File Upload 1.2.1 or earlier. In this case a similar vulnerability may exist on any Servlet container, not just Apache Tomcat.

Affected Pivotal Products and Versions

Severity is important unless otherwise noted.

  • Pivotal tc Server, runtimes 7.0.4.A to 7.0.39.B inclusive (For an attack to be possible for a tc Runtime instance, the same requirements as set out above must be met. It should be noted that by default tc Server enables a custom JMX listener that listens on localhost for each runtime instance. This meets two of the six requirements listed above (E and F for local but not remote attacks) for a system to be vulnerable.)

Users of affected versions should apply one of the following mitigations:

  • Upgrade to Oracle Java 1.7.0 update 40 or later (or any other Java implementation where is not vulnerable to null byte injection).
  • Use OS file permissions to prevent the process tc Runtime is running as from writing to any location within a deployed application.
  • Upgrade to tc Runtime 7.0.42.A or later

This issue was identified by Pierre Ernst of the VMware Security Engineering, Communications & Response group (vSECR) and reported to the Tomcat security team via the Pivotal security team.


2014-Sep-10: Initial vulnerability report published.