tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload
Date Wed, 04 Oct 2017 08:30:45 GMT
On 04/10/17 08:27, Michael Smith wrote:
> Mark,
> 
> Do you know if tomcat 5.x and 6.x are vulnerable to this issue? I know they
> are not supported, but are they exploitable by this vulnerability?

I don't know. I haven't tested them and I don't plan to test them.

My expectation is that 6.x and 5.x would be vulnerable to CVE-2017-12617
as well as CVE-2017-12615 and CVE-2017-12616 in some form as the code
that handles resources in 7.0.x is also present (in an early form) in
those versions.

Mark


> 
> Thx
> 
> Mike
> 
> On 3 October 2017 at 11:55, Mark Thomas <markt@apache.org> wrote:
> 
>> CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload
>>
>> Severity: Important
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected:
>> Apache Tomcat 9.0.0.M1 to 9.0.0
>> Apache Tomcat 8.5.0 to 8.5.22
>> Apache Tomcat 8.0.0.RC1 to 8.0.46
>> Apache Tomcat 7.0.0 to 7.0.81
>>
>> Description:
>> When running with HTTP PUTs enabled (e.g. via setting the readonly
>> initialisation parameter of the Default servlet to false) it was
>> possible to upload a JSP file to the server via a specially crafted
>> request. This JSP could then be requested and any code it contained
>> would be executed by the server.
>>
>> Mitigation:
>> Users of the affected versions should apply one of the following
>> mitigations:
>> - Upgrade to Apache Tomcat 9.0.1 or later
>> - Upgrade to Apache Tomcat 8.5.23 or later
>> - Upgrade to Apache Tomcat 8.0.47 or later
>> - Upgrade to Apache Tomcat 7.0.82 or later
>>
>> Credit:
>> This issue was first reported publicly followed by multiple reports to
>> the Apache Tomcat Security Team.
>>
>> History:
>> 2017-10-03 Original advisory
>>
>> References:
>> [1] http://tomcat.apache.org/security-9.html
>> [2] http://tomcat.apache.org/security-8.html
>> [3] http://tomcat.apache.org/security-7.html
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message