From announce-return-4090-apmail-announce-archive=apache.org@apache.org  Tue Sep 19 16:23:42 2017
Return-Path: <announce-return-4090-apmail-announce-archive=apache.org@apache.org>
X-Original-To: apmail-announce-archive@www.apache.org
Delivered-To: apmail-announce-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id C9EE510D90
	for <apmail-announce-archive@www.apache.org>; Tue, 19 Sep 2017 16:23:42 +0000 (UTC)
Received: (qmail 1000 invoked by uid 500); 19 Sep 2017 16:23:32 -0000
Delivered-To: apmail-announce-archive@apache.org
Received: (qmail 356 invoked by uid 500); 19 Sep 2017 16:23:32 -0000
Mailing-List: contact announce-help@apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:announce-help@apache.org>
List-Unsubscribe: <mailto:announce-unsubscribe@apache.org>
List-Post: <mailto:announce@apache.org>
List-Id: <announce.apache.org>
Delivered-To: mailing list announce@apache.org
Delivered-To: moderator for announce@apache.org
Received: (qmail 64990 invoked by uid 99); 19 Sep 2017 11:13:53 -0000
Subject: [CORRECTION][SECURITY] CVE-2017-12615 Apache Tomcat Remote Code
 Execution via JSP upload
From: Mark Thomas <markt@apache.org>
To: Tomcat Users List <users@tomcat.apache.org>
Cc: "announce@tomcat.apache.org" <announce@tomcat.apache.org>,
 announce@apache.org, Tomcat Developers List <dev@tomcat.apache.org>
References: <de541c4a-55b1-a4d3-4fbe-f8e3800b920f@apache.org>
Message-ID: <81e3acd3-f335-ff0d-ae89-bf44bb66fca0@apache.org>
Date: Tue, 19 Sep 2017 12:13:50 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <de541c4a-55b1-a4d3-4fbe-f8e3800b920f@apache.org>
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 8bit

The body of the original advisory referred to CVE-2017-7674. This was
incorrect. It was a copy and paste error from a previous Tomcat advisory.

The correct CVE reference is CVE-2017-12615, as per the subject line.


On 19/09/17 11:58, Mark Thomas wrote:
> CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP Upload
> 
> Severity: Important
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected:
> Apache Tomcat 7.0.0 to 7.0.79
> 
> Description:
> When running on Windows with HTTP PUTs enabled (e.g. via setting the
> readonly initialisation parameter of the Default to false) it was
> possible to upload a JSP file to the server via a specially crafted
> request. This JSP could then be requested and any code it contained
> would be executed by the server.
> 
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released)
> 
> Credit:
> This issue was reported responsibly to the Apache Tomcat Security Team
> by iswin from 360-sg-lab (360观星实验室)
> 
> History:
> 2017-09-19 Original advisory
> 
> References:
> [1] http://tomcat.apache.org/security-7.html
>