[
https://issues.apache.org/jira/browse/KYLIN-2891?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
peng.jianhua updated KYLIN-2891:
--------------------------------
Description:
【Security Vulnerability Alert】Tomcat Information leakage and remote code
execution vulnerabilities.
CVE ID:
{code}
CVE-2017-12617
{code}
Description
{code}
When running with HTTP PUTs enabled (e.g. via setting the readonly
initialisation parameter of the Default servlet to false) it was possible to
upload a JSP file to the server via a specially crafted request. This JSP could
then be requested and any code it contained would be executed by the server.
{code}
Scope
{code}
Affects: 7.0.0 to 7.0.81
{code}
Solution
{code}
The official release of the Apache Tomcat 7.0.82 version has fixed the
vulnerability and recommends upgrading to the 7.0.82 version.
{code}
Reference
{code}
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
{code}
was:
【Security Vulnerability Alert】Tomcat Information leakage and remote code
execution vulnerabilities.
CVE ID:
{code}
CVE-2017-12615\CVE-2017-12616
{code}
Description
{code}
CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP
PUTs enabled, it was possible to upload a JSP file to the server via a
specially crafted request. This JSP could then be requested and any code it
contained would be executed by the server.
CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to
7.0.80, it was possible to use a specially crafted request, bypass security
constraints, or get the source code of JSPs for resources served by the
VirtualDirContext, thereby cased code disclosure.
{code}
Scope
{code}
CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
{code}
Solution
{code}
The official release of the Apache Tomcat 7.0.81 version has fixed the two
vulnerabilities and recommends upgrading to the latest version.
{code}
Reference
{code}
https://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
{code}
> Tomcat Security Vulnerability Alert. The version of the tomcat for kylin
> should upgrade to 7.0.82.
> --------------------------------------------------------------------------------------------------
>
> Key: KYLIN-2891
> URL: https://issues.apache.org/jira/browse/KYLIN-2891
> Project: Kylin
> Issue Type: Bug
> Components: Website
> Affects Versions: v2.0.0, v2.1.0
> Reporter: peng.jianhua
> Assignee: peng.jianhua
> Labels: patch
>
> 【Security Vulnerability Alert】Tomcat Information leakage and remote code
> execution vulnerabilities.
> CVE ID:
> {code}
> CVE-2017-12617
> {code}
> Description
> {code}
> When running with HTTP PUTs enabled (e.g. via setting the readonly
> initialisation parameter of the Default servlet to false) it was possible to
> upload a JSP file to the server via a specially crafted request. This JSP
> could then be requested and any code it contained would be executed by the
> server.
> {code}
> Scope
> {code}
> Affects: 7.0.0 to 7.0.81
> {code}
> Solution
> {code}
> The official release of the Apache Tomcat 7.0.82 version has fixed the
> vulnerability and recommends upgrading to the 7.0.82 version.
> {code}
> Reference
> {code}
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
> {code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
