Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

2017-09-29 Thread Harish Krishnan
Thank you for this latest update. Looking forward for the 7.x new build. Sent from my iPhone > On Sep 29, 2017, at 2:14 AM, Mark Thomas wrote: > > Hi all, > > Hopefully this will be the final update on this. > > The fixes for CVE-2017-12617 have now been applied to all

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

2017-09-29 Thread Mark Thomas
Hi all, Hopefully this will be the final update on this. The fixes for CVE-2017-12617 have now been applied to all current versions. Releases for 9.0.x and 8.5.x are already in progress on the dev@ list. The release process for 8.0.x and 7.0.x is expected to start shortly. As per my previous

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

2017-09-25 Thread Harish Krishnan
Thank you for the response and confirmation, Mark. Sent from my iPhone > On Sep 25, 2017, at 12:36 PM, Mark Thomas wrote: > >> On 25/09/17 18:12, Harish Krishnan wrote: >> Hi Mark, >> >> Thanks for the timely updates. >> My understanding is, there will be a new 7.x update

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

2017-09-25 Thread Mark Thomas
On 25/09/17 18:12, Harish Krishnan wrote: > Hi Mark, > > Thanks for the timely updates. > My understanding is, there will be a new 7.x update available for addressing > CVE-2017-12617. Is that correct? > The current latest (7.0_81) resolves the initial 2 CVEs (CVE*12615 and > CVE*12616). >

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

2017-09-25 Thread Harish Krishnan
Hi Mark, Thanks for the timely updates. My understanding is, there will be a new 7.x update available for addressing CVE-2017-12617. Is that correct? The current latest (7.0_81) resolves the initial 2 CVEs (CVE*12615 and CVE*12616). When can we expect the new update for 7.x? Sent from my

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

2017-09-22 Thread Mark Thomas
Update: The review did not identify any further security concerns but it did identify a handful of places where the code could benefit from some clean-up. This clean-up makes the purpose of the code clearer and eases future maintenance in this security-relevant area of the code base. The

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

2017-09-20 Thread Mark Thomas
Update: We believe we have a set of patches [1],[2] that addresses this for 9.0.x. The plan is to give folks ~12 hours to review the proposed patches and then back-port the patches, tag and release. Further analysis has not identified any additional attack vectors or risks associated with this

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

2017-09-20 Thread Mark Thomas
Update: The issue has been confirmed. CVE-2017-12617 has been allocated. The issue is not limited to PUT requests. For the Default servlet, DELETE is known to be affected. For the WebDAV servlet DELETE, MOVE and COPY are believed to be affected. The RCE via JSP upload using PUT is still