[jira] [Updated] (RANGER-1797) Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
[ https://issues.apache.org/jira/browse/RANGER-1797?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Vishal Suvagia updated RANGER-1797: --- Attachment: catalina.out Attaching [^catalina.out], as per info shared on review request. > Tomcat Security Vulnerability Alert. The version of the tomcat for ranger > should upgrade to 7.0.82. > --- > > Key: RANGER-1797 > URL: https://issues.apache.org/jira/browse/RANGER-1797 > Project: Ranger > Issue Type: Bug > Components: admin >Affects Versions: 1.0.0, master >Reporter: peng.jianhua >Assignee: peng.jianhua > Labels: patch > Attachments: > 0001-RANGER-1797-Tomcat-Security-Vulnerability-Alert.-The.patch, catalina.out > > > 【Security Vulnerability Alert】Tomcat Information leakage and remote code > execution vulnerabilities. > CVE ID: > {code} > CVE-2017-12615\CVE-2017-12616 > {code} > Description > {code} > CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with > HTTP PUTs enabled, it was possible to upload a JSP file to the server via a > specially crafted request. This JSP could then be requested and any code it > contained would be executed by the server. > CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to > 7.0.80, it was possible to use a specially crafted request, bypass security > constraints, or get the source code of JSPs for resources served by the > VirtualDirContext, thereby cased code disclosure. > {code} > Scope > {code} > CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79 > CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80 > {code} > Solution > {code} > The official release of the Apache Tomcat 7.0.81 version has fixed the two > vulnerabilities and recommends upgrading to the latest version. > {code} > Reference > {code} > https://tomcat.apache.org/security-7.html > http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81 > https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82 > {code} -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (RANGER-1797) Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
[ https://issues.apache.org/jira/browse/RANGER-1797?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] peng.jianhua updated RANGER-1797: - Summary: Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82. (was: Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.81.) > Tomcat Security Vulnerability Alert. The version of the tomcat for ranger > should upgrade to 7.0.82. > --- > > Key: RANGER-1797 > URL: https://issues.apache.org/jira/browse/RANGER-1797 > Project: Ranger > Issue Type: Bug > Components: admin >Affects Versions: 1.0.0, master >Reporter: peng.jianhua >Assignee: peng.jianhua > Labels: patch > Attachments: > 0001-RANGER-1797-Tomcat-Security-Vulnerability-Alert.-The.patch > > > 【Security Vulnerability Alert】Tomcat Information leakage and remote code > execution vulnerabilities. > CVE ID: > {code} > CVE-2017-12615\CVE-2017-12616 > {code} > Description > {code} > CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with > HTTP PUTs enabled, it was possible to upload a JSP file to the server via a > specially crafted request. This JSP could then be requested and any code it > contained would be executed by the server. > CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to > 7.0.80, it was possible to use a specially crafted request, bypass security > constraints, or get the source code of JSPs for resources served by the > VirtualDirContext, thereby cased code disclosure. > {code} > Scope > {code} > CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79 > CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80 > {code} > Solution > {code} > The official release of the Apache Tomcat 7.0.81 version has fixed the two > vulnerabilities and recommends upgrading to the latest version. > {code} > Reference > {code} > https://tomcat.apache.org/security-7.html > http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81 > {code} -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (RANGER-1797) Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
[ https://issues.apache.org/jira/browse/RANGER-1797?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] peng.jianhua updated RANGER-1797: - Description: 【Security Vulnerability Alert】Tomcat Information leakage and remote code execution vulnerabilities. CVE ID: {code} CVE-2017-12615\CVE-2017-12616 {code} Description {code} CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure. {code} Scope {code} CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79 CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80 {code} Solution {code} The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version. {code} Reference {code} https://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82 {code} was: 【Security Vulnerability Alert】Tomcat Information leakage and remote code execution vulnerabilities. CVE ID: {code} CVE-2017-12615\CVE-2017-12616 {code} Description {code} CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure. {code} Scope {code} CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79 CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80 {code} Solution {code} The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version. {code} Reference {code} https://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81 {code} > Tomcat Security Vulnerability Alert. The version of the tomcat for ranger > should upgrade to 7.0.82. > --- > > Key: RANGER-1797 > URL: https://issues.apache.org/jira/browse/RANGER-1797 > Project: Ranger > Issue Type: Bug > Components: admin >Affects Versions: 1.0.0, master >Reporter: peng.jianhua >Assignee: peng.jianhua > Labels: patch > Attachments: > 0001-RANGER-1797-Tomcat-Security-Vulnerability-Alert.-The.patch > > > 【Security Vulnerability Alert】Tomcat Information leakage and remote code > execution vulnerabilities. > CVE ID: > {code} > CVE-2017-12615\CVE-2017-12616 > {code} > Description > {code} > CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with > HTTP PUTs enabled, it was possible to upload a JSP file to the server via a > specially crafted request. This JSP could then be requested and any code it > contained would be executed by the server. > CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to > 7.0.80, it was possible to use a specially crafted request, bypass security > constraints, or get the source code of JSPs for resources served by the > VirtualDirContext, thereby cased code disclosure. > {code} > Scope > {code} > CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79 > CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80 > {code} > Solution > {code} > The official release of the Apache Tomcat 7.0.81 version has fixed the two > vulnerabilities and recommends upgrading to the latest version. > {code} > Reference > {code} > https://tomcat.apache.org/security-7.html > http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81 > https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82 > {code} -- This message was sent by Atlassian JIRA (v6.4.14#64029)