tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Smith <warlock...@gmail.com>
Subject Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload
Date Wed, 04 Oct 2017 07:27:45 GMT
Mark,

Do you know if tomcat 5.x and 6.x are vulnerable to this issue? I know they
are not supported, but are they exploitable by this vulnerability?

Thx

Mike

On 3 October 2017 at 11:55, Mark Thomas <markt@apache.org> wrote:

> CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.0
> Apache Tomcat 8.5.0 to 8.5.22
> Apache Tomcat 8.0.0.RC1 to 8.0.46
> Apache Tomcat 7.0.0 to 7.0.81
>
> Description:
> When running with HTTP PUTs enabled (e.g. via setting the readonly
> initialisation parameter of the Default servlet to false) it was
> possible to upload a JSP file to the server via a specially crafted
> request. This JSP could then be requested and any code it contained
> would be executed by the server.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 9.0.1 or later
> - Upgrade to Apache Tomcat 8.5.23 or later
> - Upgrade to Apache Tomcat 8.0.47 or later
> - Upgrade to Apache Tomcat 7.0.82 or later
>
> Credit:
> This issue was first reported publicly followed by multiple reports to
> the Apache Tomcat Security Team.
>
> History:
> 2017-10-03 Original advisory
>
> References:
> [1] http://tomcat.apache.org/security-9.html
> [2] http://tomcat.apache.org/security-8.html
> [3] http://tomcat.apache.org/security-7.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message