You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2017/09/19 10:58:44 UTC
[SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP
upload
CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 7.0.0 to 7.0.79
Description:
When running on Windows with HTTP PUTs enabled (e.g. via setting the
readonly initialisation parameter of the Default to false) it was
possible to upload a JSP file to the server via a specially crafted
request. This JSP could then be requested and any code it contained
would be executed by the server.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released)
Credit:
This issue was reported responsibly to the Apache Tomcat Security Team
by iswin from 360-sg-lab (360观星实验室)
History:
2017-09-19 Original advisory
References:
[1] http://tomcat.apache.org/security-7.html
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[CORRECTION][SECURITY] CVE-2017-12615 Apache Tomcat Remote Code
Execution via JSP upload
Posted by Mark Thomas <ma...@apache.org>.
The body of the original advisory referred to CVE-2017-7674. This was
incorrect. It was a copy and paste error from a previous Tomcat advisory.
The correct CVE reference is CVE-2017-12615, as per the subject line.
On 19/09/17 11:58, Mark Thomas wrote:
> CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP Upload
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 7.0.0 to 7.0.79
>
> Description:
> When running on Windows with HTTP PUTs enabled (e.g. via setting the
> readonly initialisation parameter of the Default to false) it was
> possible to upload a JSP file to the server via a specially crafted
> request. This JSP could then be requested and any code it contained
> would be executed by the server.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released)
>
> Credit:
> This issue was reported responsibly to the Apache Tomcat Security Team
> by iswin from 360-sg-lab (360观星实验室)
>
> History:
> 2017-09-19 Original advisory
>
> References:
> [1] http://tomcat.apache.org/security-7.html
>
RE: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution
via JSP upload
Posted by "Thakur, Gulam (IBM)" <Gu...@bp.com>.
Hi,
This we require in windows systems. We will be looking at Windows 10. Springboot application in Microsoft Azure based.
Many thanks,
Gulam Thakur
Software Developer, Synapse Dev Squad
BP Sunbury, Bldg H, 1st floor
TW16 7LN
Mobile: +44 (0) 7443 243808
E-mail: Gulam.Thakur@bp.com
gulam.thakur-cic.uk@ibm.com
BP International Limited. Registered office: Chertsey Road, Sunbury on Thames, Middlesex, TW16 7BP. Registered in England and Wales, number 542515.
E-mail disclaimer: The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee(s) only. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or an action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Within the bounds of law, electronic transmissions through internal and external networks may be monitored to ensure compliance with internal policies and legitimate business purposes.
-----Original Message-----
From: André Warnier (tomcat) [mailto:aw@ice-sa.com]
Sent: 19 September 2017 14:00
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload
Hello.
Did the issue below also affect the DAV application ?
And if yes, also only under Windows ?
-------- Forwarded Message --------
Subject: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload
Date: Tue, 19 Sep 2017 11:58:44 +0100
From: Mark Thomas <ma...@apache.org>
Reply-To: Tomcat Users List <us...@tomcat.apache.org>
To: Tomcat Users List <us...@tomcat.apache.org>
CC: announce@tomcat.apache.org <an...@tomcat.apache.org>, announce@apache.org, Tomcat Developers List <de...@tomcat.apache.org>
CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 7.0.0 to 7.0.79
Description:
When running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released)
Credit:
This issue was reported responsibly to the Apache Tomcat Security Team by iswin from 360-sg-lab (360观星实验室)
History:
2017-09-19 Original advisory
References:
[1] http://tomcat.apache.org/security-7.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code
Execution via JSP upload
Posted by Mark Thomas <ma...@apache.org>.
On 22/09/17 10:36, Maarten van Hulsentop wrote:
> I have tried to reproduce this issue on a fresh tomcat 7.0.78 installation.
> The issue can indeed easily be reproduced on the default servlet by setting
> the readonly property to false. After that, it is possible to PUT the jsp
> and the GET request will execute.
>
> When i change the default servlet to be the WebDAV servlet, it can not
> longer PUT the JSP because of 409 errors.
> Adjusting the servlet mapping from / to /* resolves the 409. But doing so
> seems to prevent the JSP execution; the GET request will just yield the
> contents of the JSP.
> What do i need to do to get it reproduced for the WebDAV servlet as well?
> Or is this a theoretical thing and can we consider the WebDAV servlet
> configured in scenario 3 as not vulnerable in the real world?
I haven't seen a PoC for exploiting this via Tomcat's WebDAV
implementation. The original advisory was based on an understanding of
the Default servlet PoC and a quick look at Tomcat's WebDAV code. A
closer inspection shows that the Default servlet PoC won't work with
Tomcat's WebDAV implementation.
It looks to be unlikely that Tomcat's WebDAV implementation is
exploitable but as far as I am aware there hasn't been a great deal of
investigation in that direction. At this point it seems prudent to
assume that WebDAV could be vulnerable and mitigate accordingly.
> Does this
> also apply for individual web applications configuring a similar web.xml or
> is it only reproducable on the global default servlet?
CVE-2017-12615 applies in either of the above scenarios.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code
Execution via JSP upload
Posted by Maarten van Hulsentop <ma...@vanhulsentop.nl>.
Hello,
Op wo 20 sep. 2017 om 09:27 schreef Mark Thomas <ma...@apache.org>:
> On 19/09/17 14:10, Mark Thomas wrote:
> > On 19/09/17 14:00, André Warnier (tomcat) wrote:
> >> Hello.
> >>
> >> Did the issue below also affect the DAV application ?
> >
> > Yes, as the WebDAV servlet also processes HTTP PUT requests.
> >
> > The WebDAV servlet extends the Default servlet so they actually share
> > the implementation.
>
> Thinking about this a little more, it will depend on how the WebDAV
> servlet is mapped. While there is a configuration where this would be an
> issue for WebDAV, I don't think it is one that would normally be used.
>
> I have tried to reproduce this issue on a fresh tomcat 7.0.78 installation.
The issue can indeed easily be reproduced on the default servlet by setting
the readonly property to false. After that, it is possible to PUT the jsp
and the GET request will execute.
When i change the default servlet to be the WebDAV servlet, it can not
longer PUT the JSP because of 409 errors.
Adjusting the servlet mapping from / to /* resolves the 409. But doing so
seems to prevent the JSP execution; the GET request will just yield the
contents of the JSP.
What do i need to do to get it reproduced for the WebDAV servlet as well?
Or is this a theoretical thing and can we consider the WebDAV servlet
configured in scenario 3 as not vulnerable in the real world? Does this
also apply for individual web applications configuring a similar web.xml or
is it only reproducable on the global default servlet?
For clarity, my scenarios are;
1. == Default servlet reproduction
- [fresh installation Tomcat 7.0.78]
- Modify [tomcat]/conf/web.xml,
add <init-param><param-name>readonly</param-name><param-value>false</param-value></init-param>
to <servlet-name>default</servlet-name>
- PUT possible
- GET executes JSP -> vulnerable!
2. == WebDAV servlet reproduction with mapping on '/'
- [fresh installation Tomcat 7.0.78]
- Modify [tomcat]/conf/web.xml, change
to <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
for <servlet-name>default</servlet-name>
- Modify [tomcat]/conf/web.xml,
add <init-param><param-name>readonly</param-name><param-value>false</param-value></init-param>
to <servlet-name>default</servlet-name>
- PUT fails with 409 message -> not vulnerable?
3. == WebDAV servlet reproduction with mapping on '/*'
- [fresh installation Tomcat 7.0.78]
- Modify [tomcat]/conf/web.xml, change to
<servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
for <servlet-name>default</servlet-name>
- Modify [tomcat]/conf/web.xml,
add <init-param><param-name>readonly</param-name><param-value>false</param-value></init-param>
to <servlet-name>default</servlet-name>
- Modify [tomcat]/conf/web.xml, change url pattern
<url-pattern>/</url-pattern> to <url-pattern>/*</url-pattern>
(for <servlet-name>default</servlet-name>)
- PUT possible
- GET retrieves the content for the JSP -> not vulnerable right now?
Thank you for your feedback,
Regards,
Maarten van Hulsentop
Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code
Execution via JSP upload
Posted by Mark Thomas <ma...@apache.org>.
On 19/09/17 14:10, Mark Thomas wrote:
> On 19/09/17 14:00, André Warnier (tomcat) wrote:
>> Hello.
>>
>> Did the issue below also affect the DAV application ?
>
> Yes, as the WebDAV servlet also processes HTTP PUT requests.
>
> The WebDAV servlet extends the Default servlet so they actually share
> the implementation.
Thinking about this a little more, it will depend on how the WebDAV
servlet is mapped. While there is a configuration where this would be an
issue for WebDAV, I don't think it is one that would normally be used.
Mark
>
>> And if yes, also only under Windows ?
>
> Yes. This is, as far as we can tell, Windows specific.
>
> HTH,
>
> Mark
>
>
>>
>> -------- Forwarded Message --------
>> Subject: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution
>> via JSP upload
>> Date: Tue, 19 Sep 2017 11:58:44 +0100
>> From: Mark Thomas <ma...@apache.org>
>> Reply-To: Tomcat Users List <us...@tomcat.apache.org>
>> To: Tomcat Users List <us...@tomcat.apache.org>
>> CC: announce@tomcat.apache.org <an...@tomcat.apache.org>,
>> announce@apache.org, Tomcat Developers List <de...@tomcat.apache.org>
>>
>> CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload
>>
>> Severity: Important
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected:
>> Apache Tomcat 7.0.0 to 7.0.79
>>
>> Description:
>> When running on Windows with HTTP PUTs enabled (e.g. via setting the
>> readonly initialisation parameter of the Default to false) it was
>> possible to upload a JSP file to the server via a specially crafted
>> request. This JSP could then be requested and any code it contained
>> would be executed by the server.
>>
>> Mitigation:
>> Users of the affected versions should apply one of the following
>> mitigations:
>> - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released)
>>
>> Credit:
>> This issue was reported responsibly to the Apache Tomcat Security Team
>> by iswin from 360-sg-lab (360观星实验室)
>>
>> History:
>> 2017-09-19 Original advisory
>>
>> References:
>> [1] http://tomcat.apache.org/security-7.html
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code
Execution via JSP upload
Posted by "Thakur, Gulam (IBM)" <Gu...@bp.com>.
Hi,
This we require in windows systems. We will be looking at Windows 10. Springboot application in Microsoft Azure based.
Many thanks,
Gulam Thakur
Software Developer, Synapse Dev Squad
BP Sunbury, Bldg H, 1st floor
TW16 7LN
Many thanks,
Gulam Thakur
Software Developer, Synapse Dev Squad
BP Sunbury, Bldg H, 1st floor
TW16 7LN
Mobile: +44 (0) 7443 243808
E-mail: Gulam.Thakur@bp.com
gulam.thakur-cic.uk@ibm.com
BP International Limited. Registered office: Chertsey Road, Sunbury on Thames, Middlesex, TW16 7BP. Registered in England and Wales, number 542515.
E-mail disclaimer: The information in this e-mail is confidential and may be legally privileged. It is intended solely for the addressee(s) only. Access to this e-mail by anyone else is unauthorised. If you are not the intended recipient, any disclosure, copying, distribution or an action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. Within the bounds of law, electronic transmissions through internal and external networks may be monitored to ensure compliance with internal policies and legitimate business purposes.
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: 19 September 2017 14:10
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload
On 19/09/17 14:00, André Warnier (tomcat) wrote:
> Hello.
>
> Did the issue below also affect the DAV application ?
Yes, as the WebDAV servlet also processes HTTP PUT requests.
The WebDAV servlet extends the Default servlet so they actually share the implementation.
> And if yes, also only under Windows ?
Yes. This is, as far as we can tell, Windows specific.
HTH,
Mark
>
> -------- Forwarded Message --------
> Subject: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution
> via JSP upload
> Date: Tue, 19 Sep 2017 11:58:44 +0100
> From: Mark Thomas <ma...@apache.org>
> Reply-To: Tomcat Users List <us...@tomcat.apache.org>
> To: Tomcat Users List <us...@tomcat.apache.org>
> CC: announce@tomcat.apache.org <an...@tomcat.apache.org>,
> announce@apache.org, Tomcat Developers List <de...@tomcat.apache.org>
>
> CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 7.0.0 to 7.0.79
>
> Description:
> When running on Windows with HTTP PUTs enabled (e.g. via setting the
> readonly initialisation parameter of the Default to false) it was
> possible to upload a JSP file to the server via a specially crafted
> request. This JSP could then be requested and any code it contained
> would be executed by the server.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released)
>
> Credit:
> This issue was reported responsibly to the Apache Tomcat Security Team
> by iswin from 360-sg-lab (360观星实验室)
>
> History:
> 2017-09-19 Original advisory
>
> References:
> [1] http://tomcat.apache.org/security-7.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code
Execution via JSP upload
Posted by Mark Thomas <ma...@apache.org>.
On 19/09/17 14:00, André Warnier (tomcat) wrote:
> Hello.
>
> Did the issue below also affect the DAV application ?
Yes, as the WebDAV servlet also processes HTTP PUT requests.
The WebDAV servlet extends the Default servlet so they actually share
the implementation.
> And if yes, also only under Windows ?
Yes. This is, as far as we can tell, Windows specific.
HTH,
Mark
>
> -------- Forwarded Message --------
> Subject: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution
> via JSP upload
> Date: Tue, 19 Sep 2017 11:58:44 +0100
> From: Mark Thomas <ma...@apache.org>
> Reply-To: Tomcat Users List <us...@tomcat.apache.org>
> To: Tomcat Users List <us...@tomcat.apache.org>
> CC: announce@tomcat.apache.org <an...@tomcat.apache.org>,
> announce@apache.org, Tomcat Developers List <de...@tomcat.apache.org>
>
> CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 7.0.0 to 7.0.79
>
> Description:
> When running on Windows with HTTP PUTs enabled (e.g. via setting the
> readonly initialisation parameter of the Default to false) it was
> possible to upload a JSP file to the server via a specially crafted
> request. This JSP could then be requested and any code it contained
> would be executed by the server.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released)
>
> Credit:
> This issue was reported responsibly to the Apache Tomcat Security Team
> by iswin from 360-sg-lab (360观星实验室)
>
> History:
> 2017-09-19 Original advisory
>
> References:
> [1] http://tomcat.apache.org/security-7.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Fwd: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution
via JSP upload
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
Hello.
Did the issue below also affect the DAV application ?
And if yes, also only under Windows ?
-------- Forwarded Message --------
Subject: [SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload
Date: Tue, 19 Sep 2017 11:58:44 +0100
From: Mark Thomas <ma...@apache.org>
Reply-To: Tomcat Users List <us...@tomcat.apache.org>
To: Tomcat Users List <us...@tomcat.apache.org>
CC: announce@tomcat.apache.org <an...@tomcat.apache.org>, announce@apache.org, Tomcat
Developers List <de...@tomcat.apache.org>
CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 7.0.0 to 7.0.79
Description:
When running on Windows with HTTP PUTs enabled (e.g. via setting the
readonly initialisation parameter of the Default to false) it was
possible to upload a JSP file to the server via a specially crafted
request. This JSP could then be requested and any code it contained
would be executed by the server.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released)
Credit:
This issue was reported responsibly to the Apache Tomcat Security Team
by iswin from 360-sg-lab (360观星实验室)
History:
2017-09-19 Original advisory
References:
[1] http://tomcat.apache.org/security-7.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[CORRECTION][SECURITY] CVE-2017-12615 Apache Tomcat Remote Code
Execution via JSP upload
Posted by Mark Thomas <ma...@apache.org>.
The body of the original advisory referred to CVE-2017-7674. This was
incorrect. It was a copy and paste error from a previous Tomcat advisory.
The correct CVE reference is CVE-2017-12615, as per the subject line.
On 19/09/17 11:58, Mark Thomas wrote:
> CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP Upload
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 7.0.0 to 7.0.79
>
> Description:
> When running on Windows with HTTP PUTs enabled (e.g. via setting the
> readonly initialisation parameter of the Default to false) it was
> possible to upload a JSP file to the server via a specially crafted
> request. This JSP could then be requested and any code it contained
> would be executed by the server.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released)
>
> Credit:
> This issue was reported responsibly to the Apache Tomcat Security Team
> by iswin from 360-sg-lab (360观星实验室)
>
> History:
> 2017-09-19 Original advisory
>
> References:
> [1] http://tomcat.apache.org/security-7.html
>
[CORRECTION][SECURITY] CVE-2017-12615 Apache Tomcat Remote Code
Execution via JSP upload
Posted by Mark Thomas <ma...@apache.org>.
The body of the original advisory referred to CVE-2017-7674. This was
incorrect. It was a copy and paste error from a previous Tomcat advisory.
The correct CVE reference is CVE-2017-12615, as per the subject line.
On 19/09/17 11:58, Mark Thomas wrote:
> CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP Upload
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 7.0.0 to 7.0.79
>
> Description:
> When running on Windows with HTTP PUTs enabled (e.g. via setting the
> readonly initialisation parameter of the Default to false) it was
> possible to upload a JSP file to the server via a specially crafted
> request. This JSP could then be requested and any code it contained
> would be executed by the server.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released)
>
> Credit:
> This issue was reported responsibly to the Apache Tomcat Security Team
> by iswin from 360-sg-lab (360观星实验室)
>
> History:
> 2017-09-19 Original advisory
>
> References:
> [1] http://tomcat.apache.org/security-7.html
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[CORRECTION][SECURITY] CVE-2017-12615 Apache Tomcat Remote Code
Execution via JSP upload
Posted by Mark Thomas <ma...@apache.org>.
The body of the original advisory referred to CVE-2017-7674. This was
incorrect. It was a copy and paste error from a previous Tomcat advisory.
The correct CVE reference is CVE-2017-12615, as per the subject line.
On 19/09/17 11:58, Mark Thomas wrote:
> CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP Upload
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 7.0.0 to 7.0.79
>
> Description:
> When running on Windows with HTTP PUTs enabled (e.g. via setting the
> readonly initialisation parameter of the Default to false) it was
> possible to upload a JSP file to the server via a specially crafted
> request. This JSP could then be requested and any code it contained
> would be executed by the server.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released)
>
> Credit:
> This issue was reported responsibly to the Apache Tomcat Security Team
> by iswin from 360-sg-lab (360观星实验室)
>
> History:
> 2017-09-19 Original advisory
>
> References:
> [1] http://tomcat.apache.org/security-7.html
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org