You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "peng.jianhua (JIRA)" <ji...@apache.org> on 2017/09/22 06:15:00 UTC
[jira] [Created] (RANGER-1797) Tomcat Security Vulnerability Alert.
The version of the tomcat for ranger should upgrade to 7.0.81.
peng.jianhua created RANGER-1797:
------------------------------------
Summary: Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.81.
Key: RANGER-1797
URL: https://issues.apache.org/jira/browse/RANGER-1797
Project: Ranger
Issue Type: Bug
Components: admin
Affects Versions: 1.0.0, master
Reporter: peng.jianhua
Assignee: peng.jianhua
【Security Vulnerability Alert】Tomcat Information leakage and remote code execution vulnerabilities.
CVE ID:
{code}
CVE-2017-12615\CVE-2017-12616
{code}
Description
{code}
CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
{code}
Scope
{code}
CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
{code}
Solution
{code}
The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
{code}
Reference
{code}
https://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
{code}
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)