You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2017/09/20 08:25:35 UTC
[SECURITY] Apache Tomcat Possible additional RCE via JSP upload
All,
Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
Security Team has received multiple reports that a similar vulnerability
exists in all current Tomcat versions and affects all operating systems.
Unfortunately, one of these reports was made via the public bug tracker
[2] rather than responsibly via the Tomcat Security Team's private
mailing list [3].
We have not yet completed our investigation of these reports but, based
on the volume, and our initial investigation they appear to be valid.
From an initial analysis of the reports received, the vulnerability only
affects the following configurations:
Default Servlet
- Default Servlet configured with readonly="false"
AND
- Untrusted users are permitted to perform HTTP PUT requests
WebDAV Servlet
- WebDAV Servlet configured with readonly="false"
AND
- Untrusted users are permitted to perform HTTP PUT requests
AND
- The documented advice not to map the WebDAV servlet as the Default
servlet has been ignored
Please note that:
- The WebDAV servlet is disabled by default
- The default value for the readonly parameter is true for both the
Default servlet and the WebDAV servlet
Therefore, a default Tomcat installation is not affected by this
potential vulnerability.
Based on our understanding to date, the potential vulnerability may be
mitigated by any of the following:
- setting readonly to true for the Default servlet and WebDAV servlet
- blocking HTTP methods that permit resource modification for untrusted
users
We will provide updates to the community as our investigation of these
reports continues.
Mark
on behalf of the Apache Tomcat Security Team
[1] http://markmail.org/message/xqfchebiy6fjmvjz
[2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
[3] http://tomcat.apache.org/security.html
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload
Posted by Harish Krishnan <ha...@gmail.com>.
Thank you for this latest update.
Looking forward for the 7.x new build.
Sent from my iPhone
> On Sep 29, 2017, at 2:14 AM, Mark Thomas <ma...@apache.org> wrote:
>
> Hi all,
>
> Hopefully this will be the final update on this.
>
> The fixes for CVE-2017-12617 have now been applied to all current
> versions. Releases for 9.0.x and 8.5.x are already in progress on the
> dev@ list. The release process for 8.0.x and 7.0.x is expected to start
> shortly.
>
> As per my previous e-mail, I expect the releases to be announced over
> the weekend / early next week.
>
> Mark
>
>
>> On 26/09/17 02:22, Harish Krishnan wrote:
>> Thank you for the response and confirmation, Mark.
>>
>> Sent from my iPhone
>>
>>>> On Sep 25, 2017, at 12:36 PM, Mark Thomas <ma...@apache.org> wrote:
>>>>
>>>> On 25/09/17 18:12, Harish Krishnan wrote:
>>>> Hi Mark,
>>>>
>>>> Thanks for the timely updates.
>>>> My understanding is, there will be a new 7.x update available for addressing CVE-2017-12617. Is that correct?
>>>> The current latest (7.0_81) resolves the initial 2 CVEs (CVE*12615 and CVE*12616).
>>>> When can we expect the new update for 7.x?
>>>
>>> Over the weekend we received an additional report that demonstrated a
>>> way of bypassing the fix for CVE-2017-12615. The changes we have already
>>> made for CVE-2017-12617 also block this additional attack vector but not
>>> as cleanly as we would like. Therefore we intend to make some additional
>>> changes and re-tag 9.0.x and 8.5.x.
>>>
>>> Separately, testing has identified a regression in the 7.0.x back-port
>>> which will need to be addressed before 7.0.x is tagged.
>>>
>>> Timings are hard to guarantee but I think we are looking at tags in the
>>> next 24 hours or so, release votes complete in anything up 72 hours
>>> after that (less if folks vote quickly) and the release on the mirrors 6
>>> to 12 hours after that. We might just make the weekend but early next
>>> week seems more realistic.
>>>
>>> Mark
>>>
>>>>
>>>> Sent from my iPhone
>>>>
>>>>> On Sep 22, 2017, at 2:21 AM, Mark Thomas <ma...@apache.org> wrote:
>>>>>
>>>>> Update:
>>>>>
>>>>> The review did not identify any further security concerns but it did
>>>>> identify a handful of places where the code could benefit from some
>>>>> clean-up. This clean-up makes the purpose of the code clearer and eases
>>>>> future maintenance in this security-relevant area of the code base.
>>>>>
>>>>> The clean-up has been implemented and reviewed. Back-ports have been
>>>>> completed for 8.5.x and 8.0.x. 7.0.x is in progress but requires a
>>>>> little more time as 7.0.x uses the JNDI based resources implementation
>>>>> that was replaced in 8.0.x onwards.
>>>>>
>>>>> The current expectation is that the releases will be tagged and votes
>>>>> started later today.
>>>>>
>>>>> Mark
>>>>>
>>>>>
>>>>>> On 20/09/17 17:37, Mark Thomas wrote:
>>>>>> Update:
>>>>>>
>>>>>> We believe we have a set of patches [1],[2] that addresses this for
>>>>>> 9.0.x. The plan is to give folks ~12 hours to review the proposed
>>>>>> patches and then back-port the patches, tag and release.
>>>>>>
>>>>>> Further analysis has not identified any additional attack vectors or
>>>>>> risks associated with this vulnerability.
>>>>>>
>>>>>> The recommended mitigations remain unchanged.
>>>>>>
>>>>>> Mark
>>>>>>
>>>>>>
>>>>>> [1] http://svn.apache.org/viewvc?rev=1809011&view=rev
>>>>>> [2] http://svn.apache.org/viewvc?rev=1809025&view=rev
>>>>>>
>>>>>>
>>>>>>> On 20/09/17 13:20, Mark Thomas wrote:
>>>>>>> Update:
>>>>>>>
>>>>>>> The issue has been confirmed.
>>>>>>>
>>>>>>> CVE-2017-12617 has been allocated.
>>>>>>>
>>>>>>> The issue is not limited to PUT requests. For the Default servlet,
>>>>>>> DELETE is known to be affected. For the WebDAV servlet DELETE, MOVE and
>>>>>>> COPY are believed to be affected.
>>>>>>>
>>>>>>> The RCE via JSP upload using PUT is still believed to be the most severe
>>>>>>> impact of this vulnerability.
>>>>>>>
>>>>>>> The recommended mitigations remain unchanged.
>>>>>>>
>>>>>>> Mark
>>>>>>>
>>>>>>>
>>>>>>>> On 20/09/17 09:25, Mark Thomas wrote:
>>>>>>>> All,
>>>>>>>>
>>>>>>>> Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
>>>>>>>> Security Team has received multiple reports that a similar vulnerability
>>>>>>>> exists in all current Tomcat versions and affects all operating systems.
>>>>>>>>
>>>>>>>> Unfortunately, one of these reports was made via the public bug tracker
>>>>>>>> [2] rather than responsibly via the Tomcat Security Team's private
>>>>>>>> mailing list [3].
>>>>>>>>
>>>>>>>> We have not yet completed our investigation of these reports but, based
>>>>>>>> on the volume, and our initial investigation they appear to be valid.
>>>>>>>>
>>>>>>>> From an initial analysis of the reports received, the vulnerability only
>>>>>>>> affects the following configurations:
>>>>>>>>
>>>>>>>> Default Servlet
>>>>>>>> - Default Servlet configured with readonly="false"
>>>>>>>> AND
>>>>>>>> - Untrusted users are permitted to perform HTTP PUT requests
>>>>>>>>
>>>>>>>> WebDAV Servlet
>>>>>>>> - WebDAV Servlet configured with readonly="false"
>>>>>>>> AND
>>>>>>>> - Untrusted users are permitted to perform HTTP PUT requests
>>>>>>>> AND
>>>>>>>> - The documented advice not to map the WebDAV servlet as the Default
>>>>>>>> servlet has been ignored
>>>>>>>>
>>>>>>>> Please note that:
>>>>>>>> - The WebDAV servlet is disabled by default
>>>>>>>> - The default value for the readonly parameter is true for both the
>>>>>>>> Default servlet and the WebDAV servlet
>>>>>>>>
>>>>>>>> Therefore, a default Tomcat installation is not affected by this
>>>>>>>> potential vulnerability.
>>>>>>>>
>>>>>>>> Based on our understanding to date, the potential vulnerability may be
>>>>>>>> mitigated by any of the following:
>>>>>>>> - setting readonly to true for the Default servlet and WebDAV servlet
>>>>>>>> - blocking HTTP methods that permit resource modification for untrusted
>>>>>>>> users
>>>>>>>>
>>>>>>>> We will provide updates to the community as our investigation of these
>>>>>>>> reports continues.
>>>>>>>>
>>>>>>>> Mark
>>>>>>>> on behalf of the Apache Tomcat Security Team
>>>>>>>>
>>>>>>>>
>>>>>>>> [1] http://markmail.org/message/xqfchebiy6fjmvjz
>>>>>>>> [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
>>>>>>>> [3] http://tomcat.apache.org/security.html
>>>>>>>>
>>>>>>>> ---------------------------------------------------------------------
>>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>>
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE
via JSP upload
Posted by Mark Thomas <ma...@apache.org>.
Hi all,
Hopefully this will be the final update on this.
The fixes for CVE-2017-12617 have now been applied to all current
versions. Releases for 9.0.x and 8.5.x are already in progress on the
dev@ list. The release process for 8.0.x and 7.0.x is expected to start
shortly.
As per my previous e-mail, I expect the releases to be announced over
the weekend / early next week.
Mark
On 26/09/17 02:22, Harish Krishnan wrote:
> Thank you for the response and confirmation, Mark.
>
> Sent from my iPhone
>
>> On Sep 25, 2017, at 12:36 PM, Mark Thomas <ma...@apache.org> wrote:
>>
>>> On 25/09/17 18:12, Harish Krishnan wrote:
>>> Hi Mark,
>>>
>>> Thanks for the timely updates.
>>> My understanding is, there will be a new 7.x update available for addressing CVE-2017-12617. Is that correct?
>>> The current latest (7.0_81) resolves the initial 2 CVEs (CVE*12615 and CVE*12616).
>>> When can we expect the new update for 7.x?
>>
>> Over the weekend we received an additional report that demonstrated a
>> way of bypassing the fix for CVE-2017-12615. The changes we have already
>> made for CVE-2017-12617 also block this additional attack vector but not
>> as cleanly as we would like. Therefore we intend to make some additional
>> changes and re-tag 9.0.x and 8.5.x.
>>
>> Separately, testing has identified a regression in the 7.0.x back-port
>> which will need to be addressed before 7.0.x is tagged.
>>
>> Timings are hard to guarantee but I think we are looking at tags in the
>> next 24 hours or so, release votes complete in anything up 72 hours
>> after that (less if folks vote quickly) and the release on the mirrors 6
>> to 12 hours after that. We might just make the weekend but early next
>> week seems more realistic.
>>
>> Mark
>>
>>>
>>> Sent from my iPhone
>>>
>>>> On Sep 22, 2017, at 2:21 AM, Mark Thomas <ma...@apache.org> wrote:
>>>>
>>>> Update:
>>>>
>>>> The review did not identify any further security concerns but it did
>>>> identify a handful of places where the code could benefit from some
>>>> clean-up. This clean-up makes the purpose of the code clearer and eases
>>>> future maintenance in this security-relevant area of the code base.
>>>>
>>>> The clean-up has been implemented and reviewed. Back-ports have been
>>>> completed for 8.5.x and 8.0.x. 7.0.x is in progress but requires a
>>>> little more time as 7.0.x uses the JNDI based resources implementation
>>>> that was replaced in 8.0.x onwards.
>>>>
>>>> The current expectation is that the releases will be tagged and votes
>>>> started later today.
>>>>
>>>> Mark
>>>>
>>>>
>>>>> On 20/09/17 17:37, Mark Thomas wrote:
>>>>> Update:
>>>>>
>>>>> We believe we have a set of patches [1],[2] that addresses this for
>>>>> 9.0.x. The plan is to give folks ~12 hours to review the proposed
>>>>> patches and then back-port the patches, tag and release.
>>>>>
>>>>> Further analysis has not identified any additional attack vectors or
>>>>> risks associated with this vulnerability.
>>>>>
>>>>> The recommended mitigations remain unchanged.
>>>>>
>>>>> Mark
>>>>>
>>>>>
>>>>> [1] http://svn.apache.org/viewvc?rev=1809011&view=rev
>>>>> [2] http://svn.apache.org/viewvc?rev=1809025&view=rev
>>>>>
>>>>>
>>>>>> On 20/09/17 13:20, Mark Thomas wrote:
>>>>>> Update:
>>>>>>
>>>>>> The issue has been confirmed.
>>>>>>
>>>>>> CVE-2017-12617 has been allocated.
>>>>>>
>>>>>> The issue is not limited to PUT requests. For the Default servlet,
>>>>>> DELETE is known to be affected. For the WebDAV servlet DELETE, MOVE and
>>>>>> COPY are believed to be affected.
>>>>>>
>>>>>> The RCE via JSP upload using PUT is still believed to be the most severe
>>>>>> impact of this vulnerability.
>>>>>>
>>>>>> The recommended mitigations remain unchanged.
>>>>>>
>>>>>> Mark
>>>>>>
>>>>>>
>>>>>>> On 20/09/17 09:25, Mark Thomas wrote:
>>>>>>> All,
>>>>>>>
>>>>>>> Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
>>>>>>> Security Team has received multiple reports that a similar vulnerability
>>>>>>> exists in all current Tomcat versions and affects all operating systems.
>>>>>>>
>>>>>>> Unfortunately, one of these reports was made via the public bug tracker
>>>>>>> [2] rather than responsibly via the Tomcat Security Team's private
>>>>>>> mailing list [3].
>>>>>>>
>>>>>>> We have not yet completed our investigation of these reports but, based
>>>>>>> on the volume, and our initial investigation they appear to be valid.
>>>>>>>
>>>>>>> From an initial analysis of the reports received, the vulnerability only
>>>>>>> affects the following configurations:
>>>>>>>
>>>>>>> Default Servlet
>>>>>>> - Default Servlet configured with readonly="false"
>>>>>>> AND
>>>>>>> - Untrusted users are permitted to perform HTTP PUT requests
>>>>>>>
>>>>>>> WebDAV Servlet
>>>>>>> - WebDAV Servlet configured with readonly="false"
>>>>>>> AND
>>>>>>> - Untrusted users are permitted to perform HTTP PUT requests
>>>>>>> AND
>>>>>>> - The documented advice not to map the WebDAV servlet as the Default
>>>>>>> servlet has been ignored
>>>>>>>
>>>>>>> Please note that:
>>>>>>> - The WebDAV servlet is disabled by default
>>>>>>> - The default value for the readonly parameter is true for both the
>>>>>>> Default servlet and the WebDAV servlet
>>>>>>>
>>>>>>> Therefore, a default Tomcat installation is not affected by this
>>>>>>> potential vulnerability.
>>>>>>>
>>>>>>> Based on our understanding to date, the potential vulnerability may be
>>>>>>> mitigated by any of the following:
>>>>>>> - setting readonly to true for the Default servlet and WebDAV servlet
>>>>>>> - blocking HTTP methods that permit resource modification for untrusted
>>>>>>> users
>>>>>>>
>>>>>>> We will provide updates to the community as our investigation of these
>>>>>>> reports continues.
>>>>>>>
>>>>>>> Mark
>>>>>>> on behalf of the Apache Tomcat Security Team
>>>>>>>
>>>>>>>
>>>>>>> [1] http://markmail.org/message/xqfchebiy6fjmvjz
>>>>>>> [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
>>>>>>> [3] http://tomcat.apache.org/security.html
>>>>>>>
>>>>>>> ---------------------------------------------------------------------
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload
Posted by Harish Krishnan <ha...@gmail.com>.
Thank you for the response and confirmation, Mark.
Sent from my iPhone
> On Sep 25, 2017, at 12:36 PM, Mark Thomas <ma...@apache.org> wrote:
>
>> On 25/09/17 18:12, Harish Krishnan wrote:
>> Hi Mark,
>>
>> Thanks for the timely updates.
>> My understanding is, there will be a new 7.x update available for addressing CVE-2017-12617. Is that correct?
>> The current latest (7.0_81) resolves the initial 2 CVEs (CVE*12615 and CVE*12616).
>> When can we expect the new update for 7.x?
>
> Over the weekend we received an additional report that demonstrated a
> way of bypassing the fix for CVE-2017-12615. The changes we have already
> made for CVE-2017-12617 also block this additional attack vector but not
> as cleanly as we would like. Therefore we intend to make some additional
> changes and re-tag 9.0.x and 8.5.x.
>
> Separately, testing has identified a regression in the 7.0.x back-port
> which will need to be addressed before 7.0.x is tagged.
>
> Timings are hard to guarantee but I think we are looking at tags in the
> next 24 hours or so, release votes complete in anything up 72 hours
> after that (less if folks vote quickly) and the release on the mirrors 6
> to 12 hours after that. We might just make the weekend but early next
> week seems more realistic.
>
> Mark
>
>>
>> Sent from my iPhone
>>
>>> On Sep 22, 2017, at 2:21 AM, Mark Thomas <ma...@apache.org> wrote:
>>>
>>> Update:
>>>
>>> The review did not identify any further security concerns but it did
>>> identify a handful of places where the code could benefit from some
>>> clean-up. This clean-up makes the purpose of the code clearer and eases
>>> future maintenance in this security-relevant area of the code base.
>>>
>>> The clean-up has been implemented and reviewed. Back-ports have been
>>> completed for 8.5.x and 8.0.x. 7.0.x is in progress but requires a
>>> little more time as 7.0.x uses the JNDI based resources implementation
>>> that was replaced in 8.0.x onwards.
>>>
>>> The current expectation is that the releases will be tagged and votes
>>> started later today.
>>>
>>> Mark
>>>
>>>
>>>> On 20/09/17 17:37, Mark Thomas wrote:
>>>> Update:
>>>>
>>>> We believe we have a set of patches [1],[2] that addresses this for
>>>> 9.0.x. The plan is to give folks ~12 hours to review the proposed
>>>> patches and then back-port the patches, tag and release.
>>>>
>>>> Further analysis has not identified any additional attack vectors or
>>>> risks associated with this vulnerability.
>>>>
>>>> The recommended mitigations remain unchanged.
>>>>
>>>> Mark
>>>>
>>>>
>>>> [1] http://svn.apache.org/viewvc?rev=1809011&view=rev
>>>> [2] http://svn.apache.org/viewvc?rev=1809025&view=rev
>>>>
>>>>
>>>>> On 20/09/17 13:20, Mark Thomas wrote:
>>>>> Update:
>>>>>
>>>>> The issue has been confirmed.
>>>>>
>>>>> CVE-2017-12617 has been allocated.
>>>>>
>>>>> The issue is not limited to PUT requests. For the Default servlet,
>>>>> DELETE is known to be affected. For the WebDAV servlet DELETE, MOVE and
>>>>> COPY are believed to be affected.
>>>>>
>>>>> The RCE via JSP upload using PUT is still believed to be the most severe
>>>>> impact of this vulnerability.
>>>>>
>>>>> The recommended mitigations remain unchanged.
>>>>>
>>>>> Mark
>>>>>
>>>>>
>>>>>> On 20/09/17 09:25, Mark Thomas wrote:
>>>>>> All,
>>>>>>
>>>>>> Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
>>>>>> Security Team has received multiple reports that a similar vulnerability
>>>>>> exists in all current Tomcat versions and affects all operating systems.
>>>>>>
>>>>>> Unfortunately, one of these reports was made via the public bug tracker
>>>>>> [2] rather than responsibly via the Tomcat Security Team's private
>>>>>> mailing list [3].
>>>>>>
>>>>>> We have not yet completed our investigation of these reports but, based
>>>>>> on the volume, and our initial investigation they appear to be valid.
>>>>>>
>>>>>> From an initial analysis of the reports received, the vulnerability only
>>>>>> affects the following configurations:
>>>>>>
>>>>>> Default Servlet
>>>>>> - Default Servlet configured with readonly="false"
>>>>>> AND
>>>>>> - Untrusted users are permitted to perform HTTP PUT requests
>>>>>>
>>>>>> WebDAV Servlet
>>>>>> - WebDAV Servlet configured with readonly="false"
>>>>>> AND
>>>>>> - Untrusted users are permitted to perform HTTP PUT requests
>>>>>> AND
>>>>>> - The documented advice not to map the WebDAV servlet as the Default
>>>>>> servlet has been ignored
>>>>>>
>>>>>> Please note that:
>>>>>> - The WebDAV servlet is disabled by default
>>>>>> - The default value for the readonly parameter is true for both the
>>>>>> Default servlet and the WebDAV servlet
>>>>>>
>>>>>> Therefore, a default Tomcat installation is not affected by this
>>>>>> potential vulnerability.
>>>>>>
>>>>>> Based on our understanding to date, the potential vulnerability may be
>>>>>> mitigated by any of the following:
>>>>>> - setting readonly to true for the Default servlet and WebDAV servlet
>>>>>> - blocking HTTP methods that permit resource modification for untrusted
>>>>>> users
>>>>>>
>>>>>> We will provide updates to the community as our investigation of these
>>>>>> reports continues.
>>>>>>
>>>>>> Mark
>>>>>> on behalf of the Apache Tomcat Security Team
>>>>>>
>>>>>>
>>>>>> [1] http://markmail.org/message/xqfchebiy6fjmvjz
>>>>>> [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
>>>>>> [3] http://tomcat.apache.org/security.html
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE
via JSP upload
Posted by Mark Thomas <ma...@apache.org>.
On 25/09/17 18:12, Harish Krishnan wrote:
> Hi Mark,
>
> Thanks for the timely updates.
> My understanding is, there will be a new 7.x update available for addressing CVE-2017-12617. Is that correct?
> The current latest (7.0_81) resolves the initial 2 CVEs (CVE*12615 and CVE*12616).
> When can we expect the new update for 7.x?
Over the weekend we received an additional report that demonstrated a
way of bypassing the fix for CVE-2017-12615. The changes we have already
made for CVE-2017-12617 also block this additional attack vector but not
as cleanly as we would like. Therefore we intend to make some additional
changes and re-tag 9.0.x and 8.5.x.
Separately, testing has identified a regression in the 7.0.x back-port
which will need to be addressed before 7.0.x is tagged.
Timings are hard to guarantee but I think we are looking at tags in the
next 24 hours or so, release votes complete in anything up 72 hours
after that (less if folks vote quickly) and the release on the mirrors 6
to 12 hours after that. We might just make the weekend but early next
week seems more realistic.
Mark
>
> Sent from my iPhone
>
>> On Sep 22, 2017, at 2:21 AM, Mark Thomas <ma...@apache.org> wrote:
>>
>> Update:
>>
>> The review did not identify any further security concerns but it did
>> identify a handful of places where the code could benefit from some
>> clean-up. This clean-up makes the purpose of the code clearer and eases
>> future maintenance in this security-relevant area of the code base.
>>
>> The clean-up has been implemented and reviewed. Back-ports have been
>> completed for 8.5.x and 8.0.x. 7.0.x is in progress but requires a
>> little more time as 7.0.x uses the JNDI based resources implementation
>> that was replaced in 8.0.x onwards.
>>
>> The current expectation is that the releases will be tagged and votes
>> started later today.
>>
>> Mark
>>
>>
>>> On 20/09/17 17:37, Mark Thomas wrote:
>>> Update:
>>>
>>> We believe we have a set of patches [1],[2] that addresses this for
>>> 9.0.x. The plan is to give folks ~12 hours to review the proposed
>>> patches and then back-port the patches, tag and release.
>>>
>>> Further analysis has not identified any additional attack vectors or
>>> risks associated with this vulnerability.
>>>
>>> The recommended mitigations remain unchanged.
>>>
>>> Mark
>>>
>>>
>>> [1] http://svn.apache.org/viewvc?rev=1809011&view=rev
>>> [2] http://svn.apache.org/viewvc?rev=1809025&view=rev
>>>
>>>
>>>> On 20/09/17 13:20, Mark Thomas wrote:
>>>> Update:
>>>>
>>>> The issue has been confirmed.
>>>>
>>>> CVE-2017-12617 has been allocated.
>>>>
>>>> The issue is not limited to PUT requests. For the Default servlet,
>>>> DELETE is known to be affected. For the WebDAV servlet DELETE, MOVE and
>>>> COPY are believed to be affected.
>>>>
>>>> The RCE via JSP upload using PUT is still believed to be the most severe
>>>> impact of this vulnerability.
>>>>
>>>> The recommended mitigations remain unchanged.
>>>>
>>>> Mark
>>>>
>>>>
>>>>> On 20/09/17 09:25, Mark Thomas wrote:
>>>>> All,
>>>>>
>>>>> Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
>>>>> Security Team has received multiple reports that a similar vulnerability
>>>>> exists in all current Tomcat versions and affects all operating systems.
>>>>>
>>>>> Unfortunately, one of these reports was made via the public bug tracker
>>>>> [2] rather than responsibly via the Tomcat Security Team's private
>>>>> mailing list [3].
>>>>>
>>>>> We have not yet completed our investigation of these reports but, based
>>>>> on the volume, and our initial investigation they appear to be valid.
>>>>>
>>>>> From an initial analysis of the reports received, the vulnerability only
>>>>> affects the following configurations:
>>>>>
>>>>> Default Servlet
>>>>> - Default Servlet configured with readonly="false"
>>>>> AND
>>>>> - Untrusted users are permitted to perform HTTP PUT requests
>>>>>
>>>>> WebDAV Servlet
>>>>> - WebDAV Servlet configured with readonly="false"
>>>>> AND
>>>>> - Untrusted users are permitted to perform HTTP PUT requests
>>>>> AND
>>>>> - The documented advice not to map the WebDAV servlet as the Default
>>>>> servlet has been ignored
>>>>>
>>>>> Please note that:
>>>>> - The WebDAV servlet is disabled by default
>>>>> - The default value for the readonly parameter is true for both the
>>>>> Default servlet and the WebDAV servlet
>>>>>
>>>>> Therefore, a default Tomcat installation is not affected by this
>>>>> potential vulnerability.
>>>>>
>>>>> Based on our understanding to date, the potential vulnerability may be
>>>>> mitigated by any of the following:
>>>>> - setting readonly to true for the Default servlet and WebDAV servlet
>>>>> - blocking HTTP methods that permit resource modification for untrusted
>>>>> users
>>>>>
>>>>> We will provide updates to the community as our investigation of these
>>>>> reports continues.
>>>>>
>>>>> Mark
>>>>> on behalf of the Apache Tomcat Security Team
>>>>>
>>>>>
>>>>> [1] http://markmail.org/message/xqfchebiy6fjmvjz
>>>>> [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
>>>>> [3] http://tomcat.apache.org/security.html
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload
Posted by Harish Krishnan <ha...@gmail.com>.
Hi Mark,
Thanks for the timely updates.
My understanding is, there will be a new 7.x update available for addressing CVE-2017-12617. Is that correct?
The current latest (7.0_81) resolves the initial 2 CVEs (CVE*12615 and CVE*12616).
When can we expect the new update for 7.x?
Sent from my iPhone
> On Sep 22, 2017, at 2:21 AM, Mark Thomas <ma...@apache.org> wrote:
>
> Update:
>
> The review did not identify any further security concerns but it did
> identify a handful of places where the code could benefit from some
> clean-up. This clean-up makes the purpose of the code clearer and eases
> future maintenance in this security-relevant area of the code base.
>
> The clean-up has been implemented and reviewed. Back-ports have been
> completed for 8.5.x and 8.0.x. 7.0.x is in progress but requires a
> little more time as 7.0.x uses the JNDI based resources implementation
> that was replaced in 8.0.x onwards.
>
> The current expectation is that the releases will be tagged and votes
> started later today.
>
> Mark
>
>
>> On 20/09/17 17:37, Mark Thomas wrote:
>> Update:
>>
>> We believe we have a set of patches [1],[2] that addresses this for
>> 9.0.x. The plan is to give folks ~12 hours to review the proposed
>> patches and then back-port the patches, tag and release.
>>
>> Further analysis has not identified any additional attack vectors or
>> risks associated with this vulnerability.
>>
>> The recommended mitigations remain unchanged.
>>
>> Mark
>>
>>
>> [1] http://svn.apache.org/viewvc?rev=1809011&view=rev
>> [2] http://svn.apache.org/viewvc?rev=1809025&view=rev
>>
>>
>>> On 20/09/17 13:20, Mark Thomas wrote:
>>> Update:
>>>
>>> The issue has been confirmed.
>>>
>>> CVE-2017-12617 has been allocated.
>>>
>>> The issue is not limited to PUT requests. For the Default servlet,
>>> DELETE is known to be affected. For the WebDAV servlet DELETE, MOVE and
>>> COPY are believed to be affected.
>>>
>>> The RCE via JSP upload using PUT is still believed to be the most severe
>>> impact of this vulnerability.
>>>
>>> The recommended mitigations remain unchanged.
>>>
>>> Mark
>>>
>>>
>>>> On 20/09/17 09:25, Mark Thomas wrote:
>>>> All,
>>>>
>>>> Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
>>>> Security Team has received multiple reports that a similar vulnerability
>>>> exists in all current Tomcat versions and affects all operating systems.
>>>>
>>>> Unfortunately, one of these reports was made via the public bug tracker
>>>> [2] rather than responsibly via the Tomcat Security Team's private
>>>> mailing list [3].
>>>>
>>>> We have not yet completed our investigation of these reports but, based
>>>> on the volume, and our initial investigation they appear to be valid.
>>>>
>>>> From an initial analysis of the reports received, the vulnerability only
>>>> affects the following configurations:
>>>>
>>>> Default Servlet
>>>> - Default Servlet configured with readonly="false"
>>>> AND
>>>> - Untrusted users are permitted to perform HTTP PUT requests
>>>>
>>>> WebDAV Servlet
>>>> - WebDAV Servlet configured with readonly="false"
>>>> AND
>>>> - Untrusted users are permitted to perform HTTP PUT requests
>>>> AND
>>>> - The documented advice not to map the WebDAV servlet as the Default
>>>> servlet has been ignored
>>>>
>>>> Please note that:
>>>> - The WebDAV servlet is disabled by default
>>>> - The default value for the readonly parameter is true for both the
>>>> Default servlet and the WebDAV servlet
>>>>
>>>> Therefore, a default Tomcat installation is not affected by this
>>>> potential vulnerability.
>>>>
>>>> Based on our understanding to date, the potential vulnerability may be
>>>> mitigated by any of the following:
>>>> - setting readonly to true for the Default servlet and WebDAV servlet
>>>> - blocking HTTP methods that permit resource modification for untrusted
>>>> users
>>>>
>>>> We will provide updates to the community as our investigation of these
>>>> reports continues.
>>>>
>>>> Mark
>>>> on behalf of the Apache Tomcat Security Team
>>>>
>>>>
>>>> [1] http://markmail.org/message/xqfchebiy6fjmvjz
>>>> [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
>>>> [3] http://tomcat.apache.org/security.html
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE
via JSP upload
Posted by Mark Thomas <ma...@apache.org>.
Update:
The review did not identify any further security concerns but it did
identify a handful of places where the code could benefit from some
clean-up. This clean-up makes the purpose of the code clearer and eases
future maintenance in this security-relevant area of the code base.
The clean-up has been implemented and reviewed. Back-ports have been
completed for 8.5.x and 8.0.x. 7.0.x is in progress but requires a
little more time as 7.0.x uses the JNDI based resources implementation
that was replaced in 8.0.x onwards.
The current expectation is that the releases will be tagged and votes
started later today.
Mark
On 20/09/17 17:37, Mark Thomas wrote:
> Update:
>
> We believe we have a set of patches [1],[2] that addresses this for
> 9.0.x. The plan is to give folks ~12 hours to review the proposed
> patches and then back-port the patches, tag and release.
>
> Further analysis has not identified any additional attack vectors or
> risks associated with this vulnerability.
>
> The recommended mitigations remain unchanged.
>
> Mark
>
>
> [1] http://svn.apache.org/viewvc?rev=1809011&view=rev
> [2] http://svn.apache.org/viewvc?rev=1809025&view=rev
>
>
> On 20/09/17 13:20, Mark Thomas wrote:
>> Update:
>>
>> The issue has been confirmed.
>>
>> CVE-2017-12617 has been allocated.
>>
>> The issue is not limited to PUT requests. For the Default servlet,
>> DELETE is known to be affected. For the WebDAV servlet DELETE, MOVE and
>> COPY are believed to be affected.
>>
>> The RCE via JSP upload using PUT is still believed to be the most severe
>> impact of this vulnerability.
>>
>> The recommended mitigations remain unchanged.
>>
>> Mark
>>
>>
>> On 20/09/17 09:25, Mark Thomas wrote:
>>> All,
>>>
>>> Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
>>> Security Team has received multiple reports that a similar vulnerability
>>> exists in all current Tomcat versions and affects all operating systems.
>>>
>>> Unfortunately, one of these reports was made via the public bug tracker
>>> [2] rather than responsibly via the Tomcat Security Team's private
>>> mailing list [3].
>>>
>>> We have not yet completed our investigation of these reports but, based
>>> on the volume, and our initial investigation they appear to be valid.
>>>
>>> From an initial analysis of the reports received, the vulnerability only
>>> affects the following configurations:
>>>
>>> Default Servlet
>>> - Default Servlet configured with readonly="false"
>>> AND
>>> - Untrusted users are permitted to perform HTTP PUT requests
>>>
>>> WebDAV Servlet
>>> - WebDAV Servlet configured with readonly="false"
>>> AND
>>> - Untrusted users are permitted to perform HTTP PUT requests
>>> AND
>>> - The documented advice not to map the WebDAV servlet as the Default
>>> servlet has been ignored
>>>
>>> Please note that:
>>> - The WebDAV servlet is disabled by default
>>> - The default value for the readonly parameter is true for both the
>>> Default servlet and the WebDAV servlet
>>>
>>> Therefore, a default Tomcat installation is not affected by this
>>> potential vulnerability.
>>>
>>> Based on our understanding to date, the potential vulnerability may be
>>> mitigated by any of the following:
>>> - setting readonly to true for the Default servlet and WebDAV servlet
>>> - blocking HTTP methods that permit resource modification for untrusted
>>> users
>>>
>>> We will provide updates to the community as our investigation of these
>>> reports continues.
>>>
>>> Mark
>>> on behalf of the Apache Tomcat Security Team
>>>
>>>
>>> [1] http://markmail.org/message/xqfchebiy6fjmvjz
>>> [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
>>> [3] http://tomcat.apache.org/security.html
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE
via JSP upload
Posted by Mark Thomas <ma...@apache.org>.
Update:
We believe we have a set of patches [1],[2] that addresses this for
9.0.x. The plan is to give folks ~12 hours to review the proposed
patches and then back-port the patches, tag and release.
Further analysis has not identified any additional attack vectors or
risks associated with this vulnerability.
The recommended mitigations remain unchanged.
Mark
[1] http://svn.apache.org/viewvc?rev=1809011&view=rev
[2] http://svn.apache.org/viewvc?rev=1809025&view=rev
On 20/09/17 13:20, Mark Thomas wrote:
> Update:
>
> The issue has been confirmed.
>
> CVE-2017-12617 has been allocated.
>
> The issue is not limited to PUT requests. For the Default servlet,
> DELETE is known to be affected. For the WebDAV servlet DELETE, MOVE and
> COPY are believed to be affected.
>
> The RCE via JSP upload using PUT is still believed to be the most severe
> impact of this vulnerability.
>
> The recommended mitigations remain unchanged.
>
> Mark
>
>
> On 20/09/17 09:25, Mark Thomas wrote:
>> All,
>>
>> Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
>> Security Team has received multiple reports that a similar vulnerability
>> exists in all current Tomcat versions and affects all operating systems.
>>
>> Unfortunately, one of these reports was made via the public bug tracker
>> [2] rather than responsibly via the Tomcat Security Team's private
>> mailing list [3].
>>
>> We have not yet completed our investigation of these reports but, based
>> on the volume, and our initial investigation they appear to be valid.
>>
>> From an initial analysis of the reports received, the vulnerability only
>> affects the following configurations:
>>
>> Default Servlet
>> - Default Servlet configured with readonly="false"
>> AND
>> - Untrusted users are permitted to perform HTTP PUT requests
>>
>> WebDAV Servlet
>> - WebDAV Servlet configured with readonly="false"
>> AND
>> - Untrusted users are permitted to perform HTTP PUT requests
>> AND
>> - The documented advice not to map the WebDAV servlet as the Default
>> servlet has been ignored
>>
>> Please note that:
>> - The WebDAV servlet is disabled by default
>> - The default value for the readonly parameter is true for both the
>> Default servlet and the WebDAV servlet
>>
>> Therefore, a default Tomcat installation is not affected by this
>> potential vulnerability.
>>
>> Based on our understanding to date, the potential vulnerability may be
>> mitigated by any of the following:
>> - setting readonly to true for the Default servlet and WebDAV servlet
>> - blocking HTTP methods that permit resource modification for untrusted
>> users
>>
>> We will provide updates to the community as our investigation of these
>> reports continues.
>>
>> Mark
>> on behalf of the Apache Tomcat Security Team
>>
>>
>> [1] http://markmail.org/message/xqfchebiy6fjmvjz
>> [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
>> [3] http://tomcat.apache.org/security.html
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE
via JSP upload
Posted by Mark Thomas <ma...@apache.org>.
Update:
The issue has been confirmed.
CVE-2017-12617 has been allocated.
The issue is not limited to PUT requests. For the Default servlet,
DELETE is known to be affected. For the WebDAV servlet DELETE, MOVE and
COPY are believed to be affected.
The RCE via JSP upload using PUT is still believed to be the most severe
impact of this vulnerability.
The recommended mitigations remain unchanged.
Mark
On 20/09/17 09:25, Mark Thomas wrote:
> All,
>
> Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
> Security Team has received multiple reports that a similar vulnerability
> exists in all current Tomcat versions and affects all operating systems.
>
> Unfortunately, one of these reports was made via the public bug tracker
> [2] rather than responsibly via the Tomcat Security Team's private
> mailing list [3].
>
> We have not yet completed our investigation of these reports but, based
> on the volume, and our initial investigation they appear to be valid.
>
> From an initial analysis of the reports received, the vulnerability only
> affects the following configurations:
>
> Default Servlet
> - Default Servlet configured with readonly="false"
> AND
> - Untrusted users are permitted to perform HTTP PUT requests
>
> WebDAV Servlet
> - WebDAV Servlet configured with readonly="false"
> AND
> - Untrusted users are permitted to perform HTTP PUT requests
> AND
> - The documented advice not to map the WebDAV servlet as the Default
> servlet has been ignored
>
> Please note that:
> - The WebDAV servlet is disabled by default
> - The default value for the readonly parameter is true for both the
> Default servlet and the WebDAV servlet
>
> Therefore, a default Tomcat installation is not affected by this
> potential vulnerability.
>
> Based on our understanding to date, the potential vulnerability may be
> mitigated by any of the following:
> - setting readonly to true for the Default servlet and WebDAV servlet
> - blocking HTTP methods that permit resource modification for untrusted
> users
>
> We will provide updates to the community as our investigation of these
> reports continues.
>
> Mark
> on behalf of the Apache Tomcat Security Team
>
>
> [1] http://markmail.org/message/xqfchebiy6fjmvjz
> [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
> [3] http://tomcat.apache.org/security.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Re: Fw: Regarding upgrading of Tomcat [SECURITY] Apache Tomcat Possibleadditional RCE via JSP upload
Posted by pe...@zte.com.cn.
TXkgdGVzdCByZXN1bHQgc2hvd3MgdGhhdCB0aGVyZSBpcyBubyBwcm9ibGVtLiAgV2Ugd2lsbCBm
aXggdGhlIGlzc3VlLg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KVGhhbmtzDQoNCg0K
Smlhbmh1YSBQZW5nDQoNCg0KDQoNCg0KDQoNCg0K5Y+R5Lu25Lq677yaSmlhbmh1YSBQZW5nDQrm
lLbku7bkurrvvJogPHZpc2hhbHN1dmFnaWFAeWFob28uY29tLklOVkFMSUQ+DQrmioTpgIHkurrv
vJogPGRldkByYW5nZXIuaW5jdWJhdG9yLmFwYWNoZS5vcmc+IDxkZXZAcmFuZ2VyLmFwYWNoZS5v
cmc+DQrml6Ug5pyfIO+8mjIwMTflubQwOeaciDI35pelIDE0OjQyDQrkuLsg6aKYIO+8mlJlOiBG
dzogUmVnYXJkaW5nIHVwZ3JhZGluZyBvZiBUb21jYXQgW1NFQ1VSSVRZXSBBcGFjaGUgVG9tY2F0
IFBvc3NpYmxlYWRkaXRpb25hbCBSQ0UgdmlhIEpTUCB1cGxvYWQNCg0KDQoNCg0KDQoNCkkgYW0g
ZnVydHVyZSB0ZXN0aW5nIGFuZCBldmFsdWF0aW5nIHRoZSBlZmZlY3Qgb2YgUkFOR0VSLTE3OTcg
Zm9yIHJhbmdlciB1c2luZyBvdXIgYXV0b21hdGVkIGludGVncmF0aW9uIHRlc3QgZW52aXJvbm1l
bnQuIFBsZWFzZSBoYXZlIGEgYmV0dGVyIG9waW5pb24gYWxzbyBmZWVkYmFjayB0byBtZS4NCg0K
DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNClRoYW5rcw0KDQoNCkppYW5odWEgUGVuZw0KDQoN
Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCuWPkeS7tuS6uu+8miA8dmlzaGFsc3V2YWdpYUB5YWhv
by5jb20uSU5WQUxJRD4NCuaUtuS7tuS6uu+8miA8ZGV2QHJhbmdlci5pbmN1YmF0b3IuYXBhY2hl
Lm9yZz4gPGRldkByYW5nZXIuYXBhY2hlLm9yZz4NCuaXpSDmnJ8g77yaMjAxN+W5tDA55pyIMjfm
l6UgMTM6NTcNCuS4uyDpopgg77yaRnc6IFJlZ2FyZGluZyB1cGdyYWRpbmcgb2YgVG9tY2F0IFtT
RUNVUklUWV0gQXBhY2hlIFRvbWNhdCBQb3NzaWJsZWFkZGl0aW9uYWwgUkNFIHZpYSBKU1AgdXBs
b2FkDQoNCg0KDQoNCg0KSGkgQWxsLCAgICAgICAgIEZZSSwgUGxlYXNlIGZpbmQgYmVsb3cgbWFp
bCBmcm9tIE1hcmsgYSBtZW1iZXIgb2YgQXBhY2hlIFRvbWNhdCBzZWN1cml0eSB0ZWFtLg0KICAg
ICAgICAgTG9va3MgbGlrZSBUb21jYXQgdGVhbSBpcyB3b3JraW5nIG9uIGZpeGluZyB0aGUgQ1ZF
IGlzc3Vlcy4NCiAgICAgICAgIEZvciB0aGUgc2FtZSBpc3N1ZSBSQU5HRVItMTc5NyBpcyBjcmVh
dGVkICh0byB1cGdyYWRlIHRvIFRvbWNhdCA3LjAuODEgd2hpY2ggYWxzbyBzZWVtcyB0byBiZSB2
dWxuZXJhYmxlLiksIGNhbiB3ZSBwbGVhc2UgZXZhbHVhdGUgdGhlIHJpc2tzIG9mICAgICAgICAg
ICAgICAgICB1cGRhdGluZyBUb21jYXQgdmVyc2lvbi4NCg0KVGhhbmtzDQpWaXNoYWwgU3V2YWdp
YS4NCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoN
Cg0KT24gV2VkbmVzZGF5LCAyMCBTZXB0ZW1iZXIgMjAxNyAyOjQxIFBNLCBNYXJrIFRob21hcyA8
bWFya3RAYXBhY2hlLm9yZz4gd3JvdGU6DQoNCg0KQWxsLA0KDQpGb2xsb3dpbmcgdGhlIGFubm91
bmNlbWVudCBvZiBDVkUtMjAxNy0xMjYxNSBbMV0sIHRoZSBBcGFjaGUgVG9tY2F0DQpTZWN1cml0
eSBUZWFtIGhhcyByZWNlaXZlZCBtdWx0aXBsZSByZXBvcnRzIHRoYXQgYSBzaW1pbGFyIHZ1bG5l
cmFiaWxpdHkNCmV4aXN0cyBpbiBhbGwgY3VycmVudCBUb21jYXQgdmVyc2lvbnMgYW5kIGFmZmVj
dHMgYWxsIG9wZXJhdGluZyBzeXN0ZW1zLg0KDQpVbmZvcnR1bmF0ZWx5LCBvbmUgb2YgdGhlc2Ug
cmVwb3J0cyB3YXMgbWFkZSB2aWEgdGhlIHB1YmxpYyBidWcgdHJhY2tlcg0KWzJdIHJhdGhlciB0
aGFuIHJlc3BvbnNpYmx5IHZpYSB0aGUgVG9tY2F0IFNlY3VyaXR5IFRlYW0ncyBwcml2YXRlDQpt
YWlsaW5nIGxpc3QgWzNdLg0KDQpXZSBoYXZlIG5vdCB5ZXQgY29tcGxldGVkIG91ciBpbnZlc3Rp
Z2F0aW9uIG9mIHRoZXNlIHJlcG9ydHMgYnV0LCBiYXNlZA0Kb24gdGhlIHZvbHVtZSwgYW5kIG91
ciBpbml0aWFsIGludmVzdGlnYXRpb24gdGhleSBhcHBlYXIgdG8gYmUgdmFsaWQuDQoNCkZyb20g
YW4gaW5pdGlhbCBhbmFseXNpcyBvZiB0aGUgcmVwb3J0cyByZWNlaXZlZCwgdGhlIHZ1bG5lcmFi
aWxpdHkgb25seQ0KYWZmZWN0cyB0aGUgZm9sbG93aW5nIGNvbmZpZ3VyYXRpb25zOg0KDQpEZWZh
dWx0IFNlcnZsZXQNCi0gRGVmYXVsdCBTZXJ2bGV0IGNvbmZpZ3VyZWQgd2l0aCByZWFkb25seT0i
ZmFsc2UiDQogIEFORA0KLSBVbnRydXN0ZWQgdXNlcnMgYXJlIHBlcm1pdHRlZCB0byBwZXJmb3Jt
IEhUVFAgUFVUIHJlcXVlc3RzDQoNCldlYkRBViBTZXJ2bGV0DQotIFdlYkRBViBTZXJ2bGV0IGNv
bmZpZ3VyZWQgd2l0aCByZWFkb25seT0iZmFsc2UiDQogIEFORA0KLSBVbnRydXN0ZWQgdXNlcnMg
YXJlIHBlcm1pdHRlZCB0byBwZXJmb3JtIEhUVFAgUFVUIHJlcXVlc3RzDQogIEFORA0KLSBUaGUg
ZG9jdW1lbnRlZCBhZHZpY2Ugbm90IHRvIG1hcCB0aGUgV2ViREFWIHNlcnZsZXQgYXMgdGhlIERl
ZmF1bHQNCiAgc2VydmxldCBoYXMgYmVlbiBpZ25vcmVkDQoNClBsZWFzZSBub3RlIHRoYXQ6DQog
LSBUaGUgV2ViREFWIHNlcnZsZXQgaXMgZGlzYWJsZWQgYnkgZGVmYXVsdA0KIC0gVGhlIGRlZmF1
bHQgdmFsdWUgZm9yIHRoZSByZWFkb25seSBwYXJhbWV0ZXIgaXMgdHJ1ZSBmb3IgYm90aCB0aGUN
CiAgRGVmYXVsdCBzZXJ2bGV0IGFuZCB0aGUgV2ViREFWIHNlcnZsZXQNCg0KVGhlcmVmb3JlLCBh
IGRlZmF1bHQgVG9tY2F0IGluc3RhbGxhdGlvbiBpcyBub3QgYWZmZWN0ZWQgYnkgdGhpcw0KcG90
ZW50aWFsIHZ1bG5lcmFiaWxpdHkuDQoNCkJhc2VkIG9uIG91ciB1bmRlcnN0YW5kaW5nIHRvIGRh
dGUsIHRoZSBwb3RlbnRpYWwgdnVsbmVyYWJpbGl0eSBtYXkgYmUNCm1pdGlnYXRlZCBieSBhbnkg
b2YgdGhlIGZvbGxvd2luZzoNCi0gc2V0dGluZyByZWFkb25seSB0byB0cnVlIGZvciB0aGUgRGVm
YXVsdCBzZXJ2bGV0IGFuZCBXZWJEQVYgc2VydmxldA0KLSBibG9ja2luZyBIVFRQIG1ldGhvZHMg
dGhhdCBwZXJtaXQgcmVzb3VyY2UgbW9kaWZpY2F0aW9uIGZvciB1bnRydXN0ZWQNCiAgdXNlcnMN
Cg0KV2Ugd2lsbCBwcm92aWRlIHVwZGF0ZXMgdG8gdGhlIGNvbW11bml0eSBhcyBvdXIgaW52ZXN0
aWdhdGlvbiBvZiB0aGVzZQ0KcmVwb3J0cyBjb250aW51ZXMuDQoNCk1hcmsNCm9uIGJlaGFsZiBv
ZiB0aGUgQXBhY2hlIFRvbWNhdCBTZWN1cml0eSBUZWFtDQoNCg0KWzFdIGh0dHA6Ly9tYXJrbWFp
bC5vcmcvbWVzc2FnZS94cWZjaGViaXk2Zmptdmp6DQpbMl0gaHR0cHM6Ly9iei5hcGFjaGUub3Jn
L2J1Z3ppbGxhL3Nob3dfYnVnLmNnaT9pZD02MTU0Mg0KWzNdIGh0dHA6Ly90b21jYXQuYXBhY2hl
Lm9yZy9zZWN1cml0eS5odG1s
Re: Fw: Regarding upgrading of Tomcat [SECURITY] Apache Tomcat Possibleadditional RCE via JSP upload
Posted by pe...@zte.com.cn.
SSBhbSBmdXJ0dXJlIHRlc3RpbmcgYW5kIGV2YWx1YXRpbmcgdGhlIGVmZmVjdCBvZiBSQU5HRVIt
MTc5NyBmb3IgcmFuZ2VyIHVzaW5nIG91ciBhdXRvbWF0ZWQgaW50ZWdyYXRpb24gdGVzdCBlbnZp
cm9ubWVudC4gUGxlYXNlIGhhdmUgYSBiZXR0ZXIgb3BpbmlvbiBhbHNvIGZlZWRiYWNrIHRvIG1l
Lg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KVGhhbmtzDQoNCg0KSmlhbmh1YSBQZW5n
DQoNCg0KDQoNCg0K5Y6f5aeL6YKu5Lu2DQoNCg0KDQrlj5Hku7bkurrvvJogPHZpc2hhbHN1dmFn
aWFAeWFob28uY29tLklOVkFMSUQ+DQrmlLbku7bkurrvvJogPGRldkByYW5nZXIuaW5jdWJhdG9y
LmFwYWNoZS5vcmc+IDxkZXZAcmFuZ2VyLmFwYWNoZS5vcmc+DQrml6Ug5pyfIO+8mjIwMTflubQw
OeaciDI35pelIDEzOjU3DQrkuLsg6aKYIO+8mkZ3OiBSZWdhcmRpbmcgdXBncmFkaW5nIG9mIFRv
bWNhdCBbU0VDVVJJVFldIEFwYWNoZSBUb21jYXQgUG9zc2libGVhZGRpdGlvbmFsIFJDRSB2aWEg
SlNQIHVwbG9hZA0KDQoNCg0KDQoNCkhpIEFsbCwgICAgICAgICBGWUksIFBsZWFzZSBmaW5kIGJl
bG93IG1haWwgZnJvbSBNYXJrIGEgbWVtYmVyIG9mIEFwYWNoZSBUb21jYXQgc2VjdXJpdHkgdGVh
bS4NCiAgICAgICAgIExvb2tzIGxpa2UgVG9tY2F0IHRlYW0gaXMgd29ya2luZyBvbiBmaXhpbmcg
dGhlIENWRSBpc3N1ZXMuDQogICAgICAgICBGb3IgdGhlIHNhbWUgaXNzdWUgUkFOR0VSLTE3OTcg
aXMgY3JlYXRlZCAodG8gdXBncmFkZSB0byBUb21jYXQgNy4wLjgxIHdoaWNoIGFsc28gc2VlbXMg
dG8gYmUgdnVsbmVyYWJsZS4pLCBjYW4gd2UgcGxlYXNlIGV2YWx1YXRlIHRoZSByaXNrcyBvZiAg
ICAgICAgICAgICAgICAgdXBkYXRpbmcgVG9tY2F0IHZlcnNpb24uDQoNClRoYW5rcw0KVmlzaGFs
IFN1dmFnaWEuDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLQ0KDQoNCk9uIFdlZG5lc2RheSwgMjAgU2VwdGVtYmVyIDIwMTcgMjo0MSBQTSwgTWFyayBU
aG9tYXMgPG1hcmt0QGFwYWNoZS5vcmc+IHdyb3RlOg0KDQoNCkFsbCwNCg0KRm9sbG93aW5nIHRo
ZSBhbm5vdW5jZW1lbnQgb2YgQ1ZFLTIwMTctMTI2MTUgWzFdLCB0aGUgQXBhY2hlIFRvbWNhdA0K
U2VjdXJpdHkgVGVhbSBoYXMgcmVjZWl2ZWQgbXVsdGlwbGUgcmVwb3J0cyB0aGF0IGEgc2ltaWxh
ciB2dWxuZXJhYmlsaXR5DQpleGlzdHMgaW4gYWxsIGN1cnJlbnQgVG9tY2F0IHZlcnNpb25zIGFu
ZCBhZmZlY3RzIGFsbCBvcGVyYXRpbmcgc3lzdGVtcy4NCg0KVW5mb3J0dW5hdGVseSwgb25lIG9m
IHRoZXNlIHJlcG9ydHMgd2FzIG1hZGUgdmlhIHRoZSBwdWJsaWMgYnVnIHRyYWNrZXINClsyXSBy
YXRoZXIgdGhhbiByZXNwb25zaWJseSB2aWEgdGhlIFRvbWNhdCBTZWN1cml0eSBUZWFtJ3MgcHJp
dmF0ZQ0KbWFpbGluZyBsaXN0IFszXS4NCg0KV2UgaGF2ZSBub3QgeWV0IGNvbXBsZXRlZCBvdXIg
aW52ZXN0aWdhdGlvbiBvZiB0aGVzZSByZXBvcnRzIGJ1dCwgYmFzZWQNCm9uIHRoZSB2b2x1bWUs
IGFuZCBvdXIgaW5pdGlhbCBpbnZlc3RpZ2F0aW9uIHRoZXkgYXBwZWFyIHRvIGJlIHZhbGlkLg0K
DQpGcm9tIGFuIGluaXRpYWwgYW5hbHlzaXMgb2YgdGhlIHJlcG9ydHMgcmVjZWl2ZWQsIHRoZSB2
dWxuZXJhYmlsaXR5IG9ubHkNCmFmZmVjdHMgdGhlIGZvbGxvd2luZyBjb25maWd1cmF0aW9uczoN
Cg0KRGVmYXVsdCBTZXJ2bGV0DQotIERlZmF1bHQgU2VydmxldCBjb25maWd1cmVkIHdpdGggcmVh
ZG9ubHk9ImZhbHNlIg0KICBBTkQNCi0gVW50cnVzdGVkIHVzZXJzIGFyZSBwZXJtaXR0ZWQgdG8g
cGVyZm9ybSBIVFRQIFBVVCByZXF1ZXN0cw0KDQpXZWJEQVYgU2VydmxldA0KLSBXZWJEQVYgU2Vy
dmxldCBjb25maWd1cmVkIHdpdGggcmVhZG9ubHk9ImZhbHNlIg0KICBBTkQNCi0gVW50cnVzdGVk
IHVzZXJzIGFyZSBwZXJtaXR0ZWQgdG8gcGVyZm9ybSBIVFRQIFBVVCByZXF1ZXN0cw0KICBBTkQN
Ci0gVGhlIGRvY3VtZW50ZWQgYWR2aWNlIG5vdCB0byBtYXAgdGhlIFdlYkRBViBzZXJ2bGV0IGFz
IHRoZSBEZWZhdWx0DQogIHNlcnZsZXQgaGFzIGJlZW4gaWdub3JlZA0KDQpQbGVhc2Ugbm90ZSB0
aGF0Og0KIC0gVGhlIFdlYkRBViBzZXJ2bGV0IGlzIGRpc2FibGVkIGJ5IGRlZmF1bHQNCiAtIFRo
ZSBkZWZhdWx0IHZhbHVlIGZvciB0aGUgcmVhZG9ubHkgcGFyYW1ldGVyIGlzIHRydWUgZm9yIGJv
dGggdGhlDQogIERlZmF1bHQgc2VydmxldCBhbmQgdGhlIFdlYkRBViBzZXJ2bGV0DQoNClRoZXJl
Zm9yZSwgYSBkZWZhdWx0IFRvbWNhdCBpbnN0YWxsYXRpb24gaXMgbm90IGFmZmVjdGVkIGJ5IHRo
aXMNCnBvdGVudGlhbCB2dWxuZXJhYmlsaXR5Lg0KDQpCYXNlZCBvbiBvdXIgdW5kZXJzdGFuZGlu
ZyB0byBkYXRlLCB0aGUgcG90ZW50aWFsIHZ1bG5lcmFiaWxpdHkgbWF5IGJlDQptaXRpZ2F0ZWQg
YnkgYW55IG9mIHRoZSBmb2xsb3dpbmc6DQotIHNldHRpbmcgcmVhZG9ubHkgdG8gdHJ1ZSBmb3Ig
dGhlIERlZmF1bHQgc2VydmxldCBhbmQgV2ViREFWIHNlcnZsZXQNCi0gYmxvY2tpbmcgSFRUUCBt
ZXRob2RzIHRoYXQgcGVybWl0IHJlc291cmNlIG1vZGlmaWNhdGlvbiBmb3IgdW50cnVzdGVkDQog
IHVzZXJzDQoNCldlIHdpbGwgcHJvdmlkZSB1cGRhdGVzIHRvIHRoZSBjb21tdW5pdHkgYXMgb3Vy
IGludmVzdGlnYXRpb24gb2YgdGhlc2UNCnJlcG9ydHMgY29udGludWVzLg0KDQpNYXJrDQpvbiBi
ZWhhbGYgb2YgdGhlIEFwYWNoZSBUb21jYXQgU2VjdXJpdHkgVGVhbQ0KDQoNClsxXSBodHRwOi8v
bWFya21haWwub3JnL21lc3NhZ2UveHFmY2hlYml5NmZqbXZqeg0KWzJdIGh0dHBzOi8vYnouYXBh
Y2hlLm9yZy9idWd6aWxsYS9zaG93X2J1Zy5jZ2k/aWQ9NjE1NDINClszXSBodHRwOi8vdG9tY2F0
LmFwYWNoZS5vcmcvc2VjdXJpdHkuaHRtbA==
Fw: Regarding upgrading of Tomcat [SECURITY] Apache Tomcat Possible
additional RCE via JSP upload
Posted by vishal suvagia <vi...@yahoo.com.INVALID>.
Hi All, FYI, Please find below mail from Mark a member of Apache Tomcat security team.
Looks like Tomcat team is working on fixing the CVE issues.
For the same issue RANGER-1797 is created (to upgrade to Tomcat 7.0.81 which also seems to be vulnerable.), can we please evaluate the risks of updating Tomcat version.
Thanks
Vishal Suvagia.
-----------------------------------------------------------------------------------------------------------
On Wednesday, 20 September 2017 2:41 PM, Mark Thomas <ma...@apache.org> wrote:
All,
Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
Security Team has received multiple reports that a similar vulnerability
exists in all current Tomcat versions and affects all operating systems.
Unfortunately, one of these reports was made via the public bug tracker
[2] rather than responsibly via the Tomcat Security Team's private
mailing list [3].
We have not yet completed our investigation of these reports but, based
on the volume, and our initial investigation they appear to be valid.
From an initial analysis of the reports received, the vulnerability only
affects the following configurations:
Default Servlet
- Default Servlet configured with readonly="false"
AND
- Untrusted users are permitted to perform HTTP PUT requests
WebDAV Servlet
- WebDAV Servlet configured with readonly="false"
AND
- Untrusted users are permitted to perform HTTP PUT requests
AND
- The documented advice not to map the WebDAV servlet as the Default
servlet has been ignored
Please note that:
- The WebDAV servlet is disabled by default
- The default value for the readonly parameter is true for both the
Default servlet and the WebDAV servlet
Therefore, a default Tomcat installation is not affected by this
potential vulnerability.
Based on our understanding to date, the potential vulnerability may be
mitigated by any of the following:
- setting readonly to true for the Default servlet and WebDAV servlet
- blocking HTTP methods that permit resource modification for untrusted
users
We will provide updates to the community as our investigation of these
reports continues.
Mark
on behalf of the Apache Tomcat Security Team
[1] http://markmail.org/message/xqfchebiy6fjmvjz
[2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
[3] http://tomcat.apache.org/security.html
[FYI] Fwd: Fwd: [SECURITY] Apache Tomcat Possible additional RCE
via JSP upload
Posted by Jacques Le Roux <ja...@les7arts.com>.
This is for your information in case you would use a WebDAV Servlet with readonly="false"
Jacques
-------- Message transféré --------
Sujet : Fwd: [SECURITY] Apache Tomcat Possible additional RCE via JSP upload
Date : Wed, 20 Sep 2017 12:29:29 +0200
De : Jacques Le Roux <ja...@les7arts.com>
Répondre à : dev@ofbiz.apache.org
Organisation : Les Arts Informatiques
Pour : dev@ofbiz.apache.org <de...@ofbiz.apache.org>
Hi,
I checked, from my investigation we are safe
* no default servlet is configured with readonly="false" in any of the web.xml files
* the only iCalendar WebDAV Servlet is not configured with readonly="false"
https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/servlets/WebdavServlet.html
I think we need to let know our users about this possible vulnerability since Tomcat in embedded in OFBiz
Jacques
-------- Message transféré --------
Sujet : [SECURITY] Apache Tomcat Possible additional RCE via JSP upload
Date : Wed, 20 Sep 2017 09:25:35 +0100
De : Mark Thomas <ma...@apache.org>
Pour : Tomcat Users List <us...@tomcat.apache.org>
Copie à : Tomcat Developers List <de...@tomcat.apache.org>, announce@tomcat.apache.org <an...@tomcat.apache.org>, announce@apache.org
All,
Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
Security Team has received multiple reports that a similar vulnerability
exists in all current Tomcat versions and affects all operating systems.
Unfortunately, one of these reports was made via the public bug tracker
[2] rather than responsibly via the Tomcat Security Team's private
mailing list [3].
We have not yet completed our investigation of these reports but, based
on the volume, and our initial investigation they appear to be valid.
>From an initial analysis of the reports received, the vulnerability only
affects the following configurations:
Default Servlet
- Default Servlet configured with readonly="false"
AND
- Untrusted users are permitted to perform HTTP PUT requests
WebDAV Servlet
- WebDAV Servlet configured with readonly="false"
AND
- Untrusted users are permitted to perform HTTP PUT requests
AND
- The documented advice not to map the WebDAV servlet as the Default
servlet has been ignored
Please note that:
- The WebDAV servlet is disabled by default
- The default value for the readonly parameter is true for both the
Default servlet and the WebDAV servlet
Therefore, a default Tomcat installation is not affected by this
potential vulnerability.
Based on our understanding to date, the potential vulnerability may be
mitigated by any of the following:
- setting readonly to true for the Default servlet and WebDAV servlet
- blocking HTTP methods that permit resource modification for untrusted
users
We will provide updates to the community as our investigation of these
reports continues.
Mark
on behalf of the Apache Tomcat Security Team
[1] http://markmail.org/message/xqfchebiy6fjmvjz
[2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
[3] http://tomcat.apache.org/security.html
Fwd: [SECURITY] Apache Tomcat Possible additional RCE via JSP
upload
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi,
I checked, from my investigation we are safe
* no default servlet is configured with readonly="false" in any of the web.xml files
* the only iCalendar WebDAV Servlet is not configured with readonly="false"
https://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/servlets/WebdavServlet.html
I think we need to let know our users about this possible vulnerability since Tomcat in embedded in OFBiz
Jacques
-------- Message transféré --------
Sujet : [SECURITY] Apache Tomcat Possible additional RCE via JSP upload
Date : Wed, 20 Sep 2017 09:25:35 +0100
De : Mark Thomas <ma...@apache.org>
Pour : Tomcat Users List <us...@tomcat.apache.org>
Copie à : Tomcat Developers List <de...@tomcat.apache.org>, announce@tomcat.apache.org <an...@tomcat.apache.org>, announce@apache.org
All,
Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
Security Team has received multiple reports that a similar vulnerability
exists in all current Tomcat versions and affects all operating systems.
Unfortunately, one of these reports was made via the public bug tracker
[2] rather than responsibly via the Tomcat Security Team's private
mailing list [3].
We have not yet completed our investigation of these reports but, based
on the volume, and our initial investigation they appear to be valid.
>From an initial analysis of the reports received, the vulnerability only
affects the following configurations:
Default Servlet
- Default Servlet configured with readonly="false"
AND
- Untrusted users are permitted to perform HTTP PUT requests
WebDAV Servlet
- WebDAV Servlet configured with readonly="false"
AND
- Untrusted users are permitted to perform HTTP PUT requests
AND
- The documented advice not to map the WebDAV servlet as the Default
servlet has been ignored
Please note that:
- The WebDAV servlet is disabled by default
- The default value for the readonly parameter is true for both the
Default servlet and the WebDAV servlet
Therefore, a default Tomcat installation is not affected by this
potential vulnerability.
Based on our understanding to date, the potential vulnerability may be
mitigated by any of the following:
- setting readonly to true for the Default servlet and WebDAV servlet
- blocking HTTP methods that permit resource modification for untrusted
users
We will provide updates to the community as our investigation of these
reports continues.
Mark
on behalf of the Apache Tomcat Security Team
[1] http://markmail.org/message/xqfchebiy6fjmvjz
[2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
[3] http://tomcat.apache.org/security.html