Return-Path: <announce-return-4124-archive-asf-public=cust-asf.ponee.io@apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id F2FB8200D14
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Tue,  3 Oct 2017 13:22:26 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id F1BB41609DD; Tue,  3 Oct 2017 11:22:26 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 3B4E91609D2
	for <archive-asf-public@cust-asf.ponee.io>; Tue,  3 Oct 2017 13:22:26 +0200 (CEST)
Received: (qmail 40623 invoked by uid 500); 3 Oct 2017 11:22:23 -0000
Mailing-List: contact announce-help@apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:announce-help@apache.org>
List-Unsubscribe: <mailto:announce-unsubscribe@apache.org>
List-Post: <mailto:announce@apache.org>
List-Id: <announce.apache.org>
Delivered-To: mailing list announce@apache.org
Delivered-To: moderator for announce@apache.org
Received: (qmail 50333 invoked by uid 99); 3 Oct 2017 10:55:29 -0000
From: Mark Thomas <markt@apache.org>
Subject: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP
 upload
Reply-To: announce@tomcat.apache.org
To: Tomcat Users List <users@tomcat.apache.org>
Cc: "announce@tomcat.apache.org" <announce@tomcat.apache.org>,
 announce@apache.org, Tomcat Developers List <dev@tomcat.apache.org>
Message-ID: <f7229e11-5e8d-aa00-ff22-f0a795669010@apache.org>
Date: Tue, 3 Oct 2017 11:55:26 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.3.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 7bit
archived-at: Tue, 03 Oct 2017 11:22:27 -0000

CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0
Apache Tomcat 8.5.0 to 8.5.22
Apache Tomcat 8.0.0.RC1 to 8.0.46
Apache Tomcat 7.0.0 to 7.0.81

Description:
When running with HTTP PUTs enabled (e.g. via setting the readonly
initialisation parameter of the Default servlet to false) it was
possible to upload a JSP file to the server via a specially crafted
request. This JSP could then be requested and any code it contained
would be executed by the server.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.1 or later
- Upgrade to Apache Tomcat 8.5.23 or later
- Upgrade to Apache Tomcat 8.0.47 or later
- Upgrade to Apache Tomcat 7.0.82 or later

Credit:
This issue was first reported publicly followed by multiple reports to
the Apache Tomcat Security Team.

History:
2017-10-03 Original advisory

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html