Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

2017-10-04 Thread Violeta Georgieva
Hello, 2017-10-04 4:52 GMT+03:00 Caldarale, Charles R <chuck.caldar...@unisys.com>: > > > From: Baron Fujimoto [mailto:ba...@hawaii.edu] > > Subject: Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution > via JSP upload > > > I haven't seen an

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

2017-10-04 Thread Mark Thomas
On 04/10/17 08:27, Michael Smith wrote: > Mark, > > Do you know if tomcat 5.x and 6.x are vulnerable to this issue? I know they > are not supported, but are they exploitable by this vulnerability? I don't know. I haven't tested them and I don't plan to test them. My expectation is that 6.x and

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

2017-10-04 Thread Michael Smith
Mark, Do you know if tomcat 5.x and 6.x are vulnerable to this issue? I know they are not supported, but are they exploitable by this vulnerability? Thx Mike On 3 October 2017 at 11:55, Mark Thomas wrote: > CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload >

RE: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

2017-10-03 Thread Caldarale, Charles R
> From: Baron Fujimoto [mailto:ba...@hawaii.edu] > Subject: Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload > I haven't seen an announcement for 8.0.47, nor does the Apache Tomcat > website seem to reference it yet, but it appears to

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

2017-10-03 Thread Baron Fujimoto
On Tue, Oct 03, 2017 at 10:55:26AM +, Mark Thomas wrote: >CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload > >Severity: Important > >Vendor: The Apache Software Foundation > >Versions Affected: >[...] >Apache Tomcat 8.0.0.RC1 to 8.0.46 >[...] > >Description: >When running with