The affected versions include Apache Tomcat: 11.0.0-M1 to 11.0.2,10.1.0-M1 to 10.1.34, and 9.0.0 M1 to 9.0.98. Respective fixed versions include 11.0.3 or later, 10.1.35 or later, and 9.0.99 or later.
Wallarm detected the first attack coming from Poland on March 12, a few days before the first public exploit was released on GitHub.
“While this exploit abuses session storage, the bigger issue is partial PUT handling in Tomcat, which allows uploading practically any file anywhere,” Wallarm said in the blog. “Attackers will soon start shifting their tactics, uploading malicious JSP files, modifying configurations, and planting backdoors outside session storage.”