tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Baron Fujimoto <ba...@hawaii.edu>
Subject Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload
Date Wed, 04 Oct 2017 01:28:28 GMT
On Tue, Oct 03, 2017 at 10:55:26AM +0000, Mark Thomas wrote:
>CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload
>
>Severity: Important
>
>Vendor: The Apache Software Foundation
>
>Versions Affected:
>[...]
>Apache Tomcat 8.0.0.RC1 to 8.0.46
>[...]
>
>Description:
>When running with HTTP PUTs enabled (e.g. via setting the readonly
>initialisation parameter of the Default servlet to false) it was
>possible to upload a JSP file to the server via a specially crafted
>request. This JSP could then be requested and any code it contained
>would be executed by the server.
>
>Mitigation:
>Users of the affected versions should apply one of the following
>mitigations:
>[...]
>- Upgrade to Apache Tomcat 8.0.47 or later
>[...]

I haven't seen an announcement for 8.0.47, nor does the Apache Tomcat
website seem to reference it yet, but it appears to be available in the
distribution archive(s). E.g.:

<http://archive.apache.org/dist/tomcat/tomcat-8/v8.0.47/bin/>

Is this 8.0.47 blessed for use?

Aloha,
-baron
-- 
Baron Fujimoto <baron@hawaii.edu> :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message