On 04/10/17 08:27, Michael Smith wrote: > Mark, > > Do you know if tomcat 5.x and 6.x are vulnerable to this issue? I know they > are not supported, but are they exploitable by this vulnerability?
I don't know. I haven't tested them and I don't plan to test them. My expectation is that 6.x and 5.x would be vulnerable to CVE-2017-12617 as well as CVE-2017-12615 and CVE-2017-12616 in some form as the code that handles resources in 7.0.x is also present (in an early form) in those versions. Mark > > Thx > > Mike > > On 3 October 2017 at 11:55, Mark Thomas <ma...@apache.org> wrote: > >> CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload >> >> Severity: Important >> >> Vendor: The Apache Software Foundation >> >> Versions Affected: >> Apache Tomcat 9.0.0.M1 to 9.0.0 >> Apache Tomcat 8.5.0 to 8.5.22 >> Apache Tomcat 8.0.0.RC1 to 8.0.46 >> Apache Tomcat 7.0.0 to 7.0.81 >> >> Description: >> When running with HTTP PUTs enabled (e.g. via setting the readonly >> initialisation parameter of the Default servlet to false) it was >> possible to upload a JSP file to the server via a specially crafted >> request. This JSP could then be requested and any code it contained >> would be executed by the server. >> >> Mitigation: >> Users of the affected versions should apply one of the following >> mitigations: >> - Upgrade to Apache Tomcat 9.0.1 or later >> - Upgrade to Apache Tomcat 8.5.23 or later >> - Upgrade to Apache Tomcat 8.0.47 or later >> - Upgrade to Apache Tomcat 7.0.82 or later >> >> Credit: >> This issue was first reported publicly followed by multiple reports to >> the Apache Tomcat Security Team. >> >> History: >> 2017-10-03 Original advisory >> >> References: >> [1] http://tomcat.apache.org/security-9.html >> [2] http://tomcat.apache.org/security-8.html >> [3] http://tomcat.apache.org/security-7.html >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org