subject:"RE\: \[SECURITY\] CVE\-2017\-12617 Apache Tomcat Remote Code Execution via JSP upload"

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

2017-10-04 Thread Violeta Georgieva

Hello,

2017-10-04 4:52 GMT+03:00 Caldarale, Charles R <chuck.caldar...@unisys.com>:
>
> > From: Baron Fujimoto [mailto:ba...@hawaii.edu]
> > Subject: Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code
Execution
> via JSP upload
>
> > I haven't seen an announcement for 8.0.47, nor does the Apache Tomcat
> > website seem to reference it yet, but it appears to be available in the
> > distribution archive(s). E.g.:
>
> > <http://archive.apache.org/dist/tomcat/tomcat-8/v8.0.47/bin/>
>
> > Is this 8.0.47 blessed for use?
>
> Pretty much - the voting process completed over the weekend (it passed),
but
> the announcement isn't made until the mirrors all catch up.  Should be
fine
> to use from the archive.

The Tomcat site was updated with information about version 8.0.47.
Announcement also was sent.

Regards,
Violeta

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

2017-10-04 Thread Mark Thomas

On 04/10/17 08:27, Michael Smith wrote:
> Mark,
> 
> Do you know if tomcat 5.x and 6.x are vulnerable to this issue? I know they
> are not supported, but are they exploitable by this vulnerability?

I don't know. I haven't tested them and I don't plan to test them.

My expectation is that 6.x and 5.x would be vulnerable to CVE-2017-12617
as well as CVE-2017-12615 and CVE-2017-12616 in some form as the code
that handles resources in 7.0.x is also present (in an early form) in
those versions.

Mark


> 
> Thx
> 
> Mike
> 
> On 3 October 2017 at 11:55, Mark Thomas  wrote:
> 
>> CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload
>>
>> Severity: Important
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected:
>> Apache Tomcat 9.0.0.M1 to 9.0.0
>> Apache Tomcat 8.5.0 to 8.5.22
>> Apache Tomcat 8.0.0.RC1 to 8.0.46
>> Apache Tomcat 7.0.0 to 7.0.81
>>
>> Description:
>> When running with HTTP PUTs enabled (e.g. via setting the readonly
>> initialisation parameter of the Default servlet to false) it was
>> possible to upload a JSP file to the server via a specially crafted
>> request. This JSP could then be requested and any code it contained
>> would be executed by the server.
>>
>> Mitigation:
>> Users of the affected versions should apply one of the following
>> mitigations:
>> - Upgrade to Apache Tomcat 9.0.1 or later
>> - Upgrade to Apache Tomcat 8.5.23 or later
>> - Upgrade to Apache Tomcat 8.0.47 or later
>> - Upgrade to Apache Tomcat 7.0.82 or later
>>
>> Credit:
>> This issue was first reported publicly followed by multiple reports to
>> the Apache Tomcat Security Team.
>>
>> History:
>> 2017-10-03 Original advisory
>>
>> References:
>> [1] http://tomcat.apache.org/security-9.html
>> [2] http://tomcat.apache.org/security-8.html
>> [3] http://tomcat.apache.org/security-7.html
>>
>> -
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

2017-10-04 Thread Michael Smith

Mark,

Do you know if tomcat 5.x and 6.x are vulnerable to this issue? I know they
are not supported, but are they exploitable by this vulnerability?

Thx

Mike

On 3 October 2017 at 11:55, Mark Thomas  wrote:

> CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.0
> Apache Tomcat 8.5.0 to 8.5.22
> Apache Tomcat 8.0.0.RC1 to 8.0.46
> Apache Tomcat 7.0.0 to 7.0.81
>
> Description:
> When running with HTTP PUTs enabled (e.g. via setting the readonly
> initialisation parameter of the Default servlet to false) it was
> possible to upload a JSP file to the server via a specially crafted
> request. This JSP could then be requested and any code it contained
> would be executed by the server.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 9.0.1 or later
> - Upgrade to Apache Tomcat 8.5.23 or later
> - Upgrade to Apache Tomcat 8.0.47 or later
> - Upgrade to Apache Tomcat 7.0.82 or later
>
> Credit:
> This issue was first reported publicly followed by multiple reports to
> the Apache Tomcat Security Team.
>
> History:
> 2017-10-03 Original advisory
>
> References:
> [1] http://tomcat.apache.org/security-9.html
> [2] http://tomcat.apache.org/security-8.html
> [3] http://tomcat.apache.org/security-7.html
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

RE: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

2017-10-03 Thread Caldarale, Charles R

> From: Baron Fujimoto [mailto:ba...@hawaii.edu] 
> Subject: Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution
via JSP upload

> I haven't seen an announcement for 8.0.47, nor does the Apache Tomcat
> website seem to reference it yet, but it appears to be available in the
> distribution archive(s). E.g.:

> <http://archive.apache.org/dist/tomcat/tomcat-8/v8.0.47/bin/>

> Is this 8.0.47 blessed for use?

Pretty much - the voting process completed over the weekend (it passed), but
the announcement isn't made until the mirrors all catch up.  Should be fine
to use from the archive.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.



smime.p7s
Description: S/MIME cryptographic signature

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

2017-10-03 Thread Baron Fujimoto

On Tue, Oct 03, 2017 at 10:55:26AM +, Mark Thomas wrote:
>CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload
>
>Severity: Important
>
>Vendor: The Apache Software Foundation
>
>Versions Affected:
>[...]
>Apache Tomcat 8.0.0.RC1 to 8.0.46
>[...]
>
>Description:
>When running with HTTP PUTs enabled (e.g. via setting the readonly
>initialisation parameter of the Default servlet to false) it was
>possible to upload a JSP file to the server via a specially crafted
>request. This JSP could then be requested and any code it contained
>would be executed by the server.
>
>Mitigation:
>Users of the affected versions should apply one of the following
>mitigations:
>[...]
>- Upgrade to Apache Tomcat 8.0.47 or later
>[...]

I haven't seen an announcement for 8.0.47, nor does the Apache Tomcat
website seem to reference it yet, but it appears to be available in the
distribution archive(s). E.g.:



Is this 8.0.47 blessed for use?

Aloha,
-baron
-- 
Baron Fujimoto  :: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

RE: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

5 matches

Site Navigation

Mail list logo

Footer information