Several security vulnerabilities have been patched in recent weeks in Apache Tomcat. The list of fixed flaws recently addressed also included code execution vulnerabilities.

Apache Tomcat is the most widely used web application server, with over one million downloads per month and over 70% penetration in the enterprise datacenter.

On Tuesday, the Apache Tomcat development team publicly disclosed the presence of a remote code execution vulnerability, tracked as CVE-2017-12617, affecting the popular web application server. The Tomcat versions 9.x, 8.5.x, 8.0.x and 7.0.x are affected by the flaw.

The vulnerability classified as “important” severity, has been fixed in the versions 9.0.1, 8.5.23, 8.0.47 and 7.0.82.

The vulnerability only affected systems that have the HTTP PUT method enabled, it could be exploited by attackers to upload a malicious JSP file to a targeted server using a specially crafted request. Once the file has been uploaded, the code it contains could be executed by requesting the file.

Fortunately, the extent of the flaw is limited by the fact that it could be triggered only on the default servlet configured with the readonly parameter set to false or the WebDAV servlet enabled with the readonly parameter set to false.

“When running with HTTP PUTs enabled (e.g. via setting the read-only initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.” states the security advisory.