You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by pe...@zte.com.cn on 2017/09/27 06:41:49 UTC
Re: Fw: Regarding upgrading of Tomcat [SECURITY] Apache Tomcat Possibleadditional RCE via JSP upload
SSBhbSBmdXJ0dXJlIHRlc3RpbmcgYW5kIGV2YWx1YXRpbmcgdGhlIGVmZmVjdCBvZiBSQU5HRVIt
MTc5NyBmb3IgcmFuZ2VyIHVzaW5nIG91ciBhdXRvbWF0ZWQgaW50ZWdyYXRpb24gdGVzdCBlbnZp
cm9ubWVudC4gUGxlYXNlIGhhdmUgYSBiZXR0ZXIgb3BpbmlvbiBhbHNvIGZlZWRiYWNrIHRvIG1l
Lg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KVGhhbmtzDQoNCg0KSmlhbmh1YSBQZW5n
DQoNCg0KDQoNCg0K5Y6f5aeL6YKu5Lu2DQoNCg0KDQrlj5Hku7bkurrvvJogPHZpc2hhbHN1dmFn
aWFAeWFob28uY29tLklOVkFMSUQ+DQrmlLbku7bkurrvvJogPGRldkByYW5nZXIuaW5jdWJhdG9y
LmFwYWNoZS5vcmc+IDxkZXZAcmFuZ2VyLmFwYWNoZS5vcmc+DQrml6Ug5pyfIO+8mjIwMTflubQw
OeaciDI35pelIDEzOjU3DQrkuLsg6aKYIO+8mkZ3OiBSZWdhcmRpbmcgdXBncmFkaW5nIG9mIFRv
bWNhdCBbU0VDVVJJVFldIEFwYWNoZSBUb21jYXQgUG9zc2libGVhZGRpdGlvbmFsIFJDRSB2aWEg
SlNQIHVwbG9hZA0KDQoNCg0KDQoNCkhpIEFsbCwgICAgICAgICBGWUksIFBsZWFzZSBmaW5kIGJl
bG93IG1haWwgZnJvbSBNYXJrIGEgbWVtYmVyIG9mIEFwYWNoZSBUb21jYXQgc2VjdXJpdHkgdGVh
bS4NCiAgICAgICAgIExvb2tzIGxpa2UgVG9tY2F0IHRlYW0gaXMgd29ya2luZyBvbiBmaXhpbmcg
dGhlIENWRSBpc3N1ZXMuDQogICAgICAgICBGb3IgdGhlIHNhbWUgaXNzdWUgUkFOR0VSLTE3OTcg
aXMgY3JlYXRlZCAodG8gdXBncmFkZSB0byBUb21jYXQgNy4wLjgxIHdoaWNoIGFsc28gc2VlbXMg
dG8gYmUgdnVsbmVyYWJsZS4pLCBjYW4gd2UgcGxlYXNlIGV2YWx1YXRlIHRoZSByaXNrcyBvZiAg
ICAgICAgICAgICAgICAgdXBkYXRpbmcgVG9tY2F0IHZlcnNpb24uDQoNClRoYW5rcw0KVmlzaGFs
IFN1dmFnaWEuDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLQ0KDQoNCk9uIFdlZG5lc2RheSwgMjAgU2VwdGVtYmVyIDIwMTcgMjo0MSBQTSwgTWFyayBU
aG9tYXMgPG1hcmt0QGFwYWNoZS5vcmc+IHdyb3RlOg0KDQoNCkFsbCwNCg0KRm9sbG93aW5nIHRo
ZSBhbm5vdW5jZW1lbnQgb2YgQ1ZFLTIwMTctMTI2MTUgWzFdLCB0aGUgQXBhY2hlIFRvbWNhdA0K
U2VjdXJpdHkgVGVhbSBoYXMgcmVjZWl2ZWQgbXVsdGlwbGUgcmVwb3J0cyB0aGF0IGEgc2ltaWxh
ciB2dWxuZXJhYmlsaXR5DQpleGlzdHMgaW4gYWxsIGN1cnJlbnQgVG9tY2F0IHZlcnNpb25zIGFu
ZCBhZmZlY3RzIGFsbCBvcGVyYXRpbmcgc3lzdGVtcy4NCg0KVW5mb3J0dW5hdGVseSwgb25lIG9m
IHRoZXNlIHJlcG9ydHMgd2FzIG1hZGUgdmlhIHRoZSBwdWJsaWMgYnVnIHRyYWNrZXINClsyXSBy
YXRoZXIgdGhhbiByZXNwb25zaWJseSB2aWEgdGhlIFRvbWNhdCBTZWN1cml0eSBUZWFtJ3MgcHJp
dmF0ZQ0KbWFpbGluZyBsaXN0IFszXS4NCg0KV2UgaGF2ZSBub3QgeWV0IGNvbXBsZXRlZCBvdXIg
aW52ZXN0aWdhdGlvbiBvZiB0aGVzZSByZXBvcnRzIGJ1dCwgYmFzZWQNCm9uIHRoZSB2b2x1bWUs
IGFuZCBvdXIgaW5pdGlhbCBpbnZlc3RpZ2F0aW9uIHRoZXkgYXBwZWFyIHRvIGJlIHZhbGlkLg0K
DQpGcm9tIGFuIGluaXRpYWwgYW5hbHlzaXMgb2YgdGhlIHJlcG9ydHMgcmVjZWl2ZWQsIHRoZSB2
dWxuZXJhYmlsaXR5IG9ubHkNCmFmZmVjdHMgdGhlIGZvbGxvd2luZyBjb25maWd1cmF0aW9uczoN
Cg0KRGVmYXVsdCBTZXJ2bGV0DQotIERlZmF1bHQgU2VydmxldCBjb25maWd1cmVkIHdpdGggcmVh
ZG9ubHk9ImZhbHNlIg0KICBBTkQNCi0gVW50cnVzdGVkIHVzZXJzIGFyZSBwZXJtaXR0ZWQgdG8g
cGVyZm9ybSBIVFRQIFBVVCByZXF1ZXN0cw0KDQpXZWJEQVYgU2VydmxldA0KLSBXZWJEQVYgU2Vy
dmxldCBjb25maWd1cmVkIHdpdGggcmVhZG9ubHk9ImZhbHNlIg0KICBBTkQNCi0gVW50cnVzdGVk
IHVzZXJzIGFyZSBwZXJtaXR0ZWQgdG8gcGVyZm9ybSBIVFRQIFBVVCByZXF1ZXN0cw0KICBBTkQN
Ci0gVGhlIGRvY3VtZW50ZWQgYWR2aWNlIG5vdCB0byBtYXAgdGhlIFdlYkRBViBzZXJ2bGV0IGFz
IHRoZSBEZWZhdWx0DQogIHNlcnZsZXQgaGFzIGJlZW4gaWdub3JlZA0KDQpQbGVhc2Ugbm90ZSB0
aGF0Og0KIC0gVGhlIFdlYkRBViBzZXJ2bGV0IGlzIGRpc2FibGVkIGJ5IGRlZmF1bHQNCiAtIFRo
ZSBkZWZhdWx0IHZhbHVlIGZvciB0aGUgcmVhZG9ubHkgcGFyYW1ldGVyIGlzIHRydWUgZm9yIGJv
dGggdGhlDQogIERlZmF1bHQgc2VydmxldCBhbmQgdGhlIFdlYkRBViBzZXJ2bGV0DQoNClRoZXJl
Zm9yZSwgYSBkZWZhdWx0IFRvbWNhdCBpbnN0YWxsYXRpb24gaXMgbm90IGFmZmVjdGVkIGJ5IHRo
aXMNCnBvdGVudGlhbCB2dWxuZXJhYmlsaXR5Lg0KDQpCYXNlZCBvbiBvdXIgdW5kZXJzdGFuZGlu
ZyB0byBkYXRlLCB0aGUgcG90ZW50aWFsIHZ1bG5lcmFiaWxpdHkgbWF5IGJlDQptaXRpZ2F0ZWQg
YnkgYW55IG9mIHRoZSBmb2xsb3dpbmc6DQotIHNldHRpbmcgcmVhZG9ubHkgdG8gdHJ1ZSBmb3Ig
dGhlIERlZmF1bHQgc2VydmxldCBhbmQgV2ViREFWIHNlcnZsZXQNCi0gYmxvY2tpbmcgSFRUUCBt
ZXRob2RzIHRoYXQgcGVybWl0IHJlc291cmNlIG1vZGlmaWNhdGlvbiBmb3IgdW50cnVzdGVkDQog
IHVzZXJzDQoNCldlIHdpbGwgcHJvdmlkZSB1cGRhdGVzIHRvIHRoZSBjb21tdW5pdHkgYXMgb3Vy
IGludmVzdGlnYXRpb24gb2YgdGhlc2UNCnJlcG9ydHMgY29udGludWVzLg0KDQpNYXJrDQpvbiBi
ZWhhbGYgb2YgdGhlIEFwYWNoZSBUb21jYXQgU2VjdXJpdHkgVGVhbQ0KDQoNClsxXSBodHRwOi8v
bWFya21haWwub3JnL21lc3NhZ2UveHFmY2hlYml5NmZqbXZqeg0KWzJdIGh0dHBzOi8vYnouYXBh
Y2hlLm9yZy9idWd6aWxsYS9zaG93X2J1Zy5jZ2k/aWQ9NjE1NDINClszXSBodHRwOi8vdG9tY2F0
LmFwYWNoZS5vcmcvc2VjdXJpdHkuaHRtbA==
Re: Re: Fw: Regarding upgrading of Tomcat [SECURITY] Apache Tomcat Possibleadditional RCE via JSP upload
Posted by pe...@zte.com.cn.
TXkgdGVzdCByZXN1bHQgc2hvd3MgdGhhdCB0aGVyZSBpcyBubyBwcm9ibGVtLiAgV2Ugd2lsbCBm
aXggdGhlIGlzc3VlLg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KVGhhbmtzDQoNCg0K
Smlhbmh1YSBQZW5nDQoNCg0KDQoNCg0KDQoNCg0K5Y+R5Lu25Lq677yaSmlhbmh1YSBQZW5nDQrm
lLbku7bkurrvvJogPHZpc2hhbHN1dmFnaWFAeWFob28uY29tLklOVkFMSUQ+DQrmioTpgIHkurrv
vJogPGRldkByYW5nZXIuaW5jdWJhdG9yLmFwYWNoZS5vcmc+IDxkZXZAcmFuZ2VyLmFwYWNoZS5v
cmc+DQrml6Ug5pyfIO+8mjIwMTflubQwOeaciDI35pelIDE0OjQyDQrkuLsg6aKYIO+8mlJlOiBG
dzogUmVnYXJkaW5nIHVwZ3JhZGluZyBvZiBUb21jYXQgW1NFQ1VSSVRZXSBBcGFjaGUgVG9tY2F0
IFBvc3NpYmxlYWRkaXRpb25hbCBSQ0UgdmlhIEpTUCB1cGxvYWQNCg0KDQoNCg0KDQoNCkkgYW0g
ZnVydHVyZSB0ZXN0aW5nIGFuZCBldmFsdWF0aW5nIHRoZSBlZmZlY3Qgb2YgUkFOR0VSLTE3OTcg
Zm9yIHJhbmdlciB1c2luZyBvdXIgYXV0b21hdGVkIGludGVncmF0aW9uIHRlc3QgZW52aXJvbm1l
bnQuIFBsZWFzZSBoYXZlIGEgYmV0dGVyIG9waW5pb24gYWxzbyBmZWVkYmFjayB0byBtZS4NCg0K
DQoNCg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNClRoYW5rcw0KDQoNCkppYW5odWEgUGVuZw0KDQoN
Cg0KDQoNCg0KDQoNCg0KDQoNCg0KDQoNCuWPkeS7tuS6uu+8miA8dmlzaGFsc3V2YWdpYUB5YWhv
by5jb20uSU5WQUxJRD4NCuaUtuS7tuS6uu+8miA8ZGV2QHJhbmdlci5pbmN1YmF0b3IuYXBhY2hl
Lm9yZz4gPGRldkByYW5nZXIuYXBhY2hlLm9yZz4NCuaXpSDmnJ8g77yaMjAxN+W5tDA55pyIMjfm
l6UgMTM6NTcNCuS4uyDpopgg77yaRnc6IFJlZ2FyZGluZyB1cGdyYWRpbmcgb2YgVG9tY2F0IFtT
RUNVUklUWV0gQXBhY2hlIFRvbWNhdCBQb3NzaWJsZWFkZGl0aW9uYWwgUkNFIHZpYSBKU1AgdXBs
b2FkDQoNCg0KDQoNCg0KSGkgQWxsLCAgICAgICAgIEZZSSwgUGxlYXNlIGZpbmQgYmVsb3cgbWFp
bCBmcm9tIE1hcmsgYSBtZW1iZXIgb2YgQXBhY2hlIFRvbWNhdCBzZWN1cml0eSB0ZWFtLg0KICAg
ICAgICAgTG9va3MgbGlrZSBUb21jYXQgdGVhbSBpcyB3b3JraW5nIG9uIGZpeGluZyB0aGUgQ1ZF
IGlzc3Vlcy4NCiAgICAgICAgIEZvciB0aGUgc2FtZSBpc3N1ZSBSQU5HRVItMTc5NyBpcyBjcmVh
dGVkICh0byB1cGdyYWRlIHRvIFRvbWNhdCA3LjAuODEgd2hpY2ggYWxzbyBzZWVtcyB0byBiZSB2
dWxuZXJhYmxlLiksIGNhbiB3ZSBwbGVhc2UgZXZhbHVhdGUgdGhlIHJpc2tzIG9mICAgICAgICAg
ICAgICAgICB1cGRhdGluZyBUb21jYXQgdmVyc2lvbi4NCg0KVGhhbmtzDQpWaXNoYWwgU3V2YWdp
YS4NCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoN
Cg0KT24gV2VkbmVzZGF5LCAyMCBTZXB0ZW1iZXIgMjAxNyAyOjQxIFBNLCBNYXJrIFRob21hcyA8
bWFya3RAYXBhY2hlLm9yZz4gd3JvdGU6DQoNCg0KQWxsLA0KDQpGb2xsb3dpbmcgdGhlIGFubm91
bmNlbWVudCBvZiBDVkUtMjAxNy0xMjYxNSBbMV0sIHRoZSBBcGFjaGUgVG9tY2F0DQpTZWN1cml0
eSBUZWFtIGhhcyByZWNlaXZlZCBtdWx0aXBsZSByZXBvcnRzIHRoYXQgYSBzaW1pbGFyIHZ1bG5l
cmFiaWxpdHkNCmV4aXN0cyBpbiBhbGwgY3VycmVudCBUb21jYXQgdmVyc2lvbnMgYW5kIGFmZmVj
dHMgYWxsIG9wZXJhdGluZyBzeXN0ZW1zLg0KDQpVbmZvcnR1bmF0ZWx5LCBvbmUgb2YgdGhlc2Ug
cmVwb3J0cyB3YXMgbWFkZSB2aWEgdGhlIHB1YmxpYyBidWcgdHJhY2tlcg0KWzJdIHJhdGhlciB0
aGFuIHJlc3BvbnNpYmx5IHZpYSB0aGUgVG9tY2F0IFNlY3VyaXR5IFRlYW0ncyBwcml2YXRlDQpt
YWlsaW5nIGxpc3QgWzNdLg0KDQpXZSBoYXZlIG5vdCB5ZXQgY29tcGxldGVkIG91ciBpbnZlc3Rp
Z2F0aW9uIG9mIHRoZXNlIHJlcG9ydHMgYnV0LCBiYXNlZA0Kb24gdGhlIHZvbHVtZSwgYW5kIG91
ciBpbml0aWFsIGludmVzdGlnYXRpb24gdGhleSBhcHBlYXIgdG8gYmUgdmFsaWQuDQoNCkZyb20g
YW4gaW5pdGlhbCBhbmFseXNpcyBvZiB0aGUgcmVwb3J0cyByZWNlaXZlZCwgdGhlIHZ1bG5lcmFi
aWxpdHkgb25seQ0KYWZmZWN0cyB0aGUgZm9sbG93aW5nIGNvbmZpZ3VyYXRpb25zOg0KDQpEZWZh
dWx0IFNlcnZsZXQNCi0gRGVmYXVsdCBTZXJ2bGV0IGNvbmZpZ3VyZWQgd2l0aCByZWFkb25seT0i
ZmFsc2UiDQogIEFORA0KLSBVbnRydXN0ZWQgdXNlcnMgYXJlIHBlcm1pdHRlZCB0byBwZXJmb3Jt
IEhUVFAgUFVUIHJlcXVlc3RzDQoNCldlYkRBViBTZXJ2bGV0DQotIFdlYkRBViBTZXJ2bGV0IGNv
bmZpZ3VyZWQgd2l0aCByZWFkb25seT0iZmFsc2UiDQogIEFORA0KLSBVbnRydXN0ZWQgdXNlcnMg
YXJlIHBlcm1pdHRlZCB0byBwZXJmb3JtIEhUVFAgUFVUIHJlcXVlc3RzDQogIEFORA0KLSBUaGUg
ZG9jdW1lbnRlZCBhZHZpY2Ugbm90IHRvIG1hcCB0aGUgV2ViREFWIHNlcnZsZXQgYXMgdGhlIERl
ZmF1bHQNCiAgc2VydmxldCBoYXMgYmVlbiBpZ25vcmVkDQoNClBsZWFzZSBub3RlIHRoYXQ6DQog
LSBUaGUgV2ViREFWIHNlcnZsZXQgaXMgZGlzYWJsZWQgYnkgZGVmYXVsdA0KIC0gVGhlIGRlZmF1
bHQgdmFsdWUgZm9yIHRoZSByZWFkb25seSBwYXJhbWV0ZXIgaXMgdHJ1ZSBmb3IgYm90aCB0aGUN
CiAgRGVmYXVsdCBzZXJ2bGV0IGFuZCB0aGUgV2ViREFWIHNlcnZsZXQNCg0KVGhlcmVmb3JlLCBh
IGRlZmF1bHQgVG9tY2F0IGluc3RhbGxhdGlvbiBpcyBub3QgYWZmZWN0ZWQgYnkgdGhpcw0KcG90
ZW50aWFsIHZ1bG5lcmFiaWxpdHkuDQoNCkJhc2VkIG9uIG91ciB1bmRlcnN0YW5kaW5nIHRvIGRh
dGUsIHRoZSBwb3RlbnRpYWwgdnVsbmVyYWJpbGl0eSBtYXkgYmUNCm1pdGlnYXRlZCBieSBhbnkg
b2YgdGhlIGZvbGxvd2luZzoNCi0gc2V0dGluZyByZWFkb25seSB0byB0cnVlIGZvciB0aGUgRGVm
YXVsdCBzZXJ2bGV0IGFuZCBXZWJEQVYgc2VydmxldA0KLSBibG9ja2luZyBIVFRQIG1ldGhvZHMg
dGhhdCBwZXJtaXQgcmVzb3VyY2UgbW9kaWZpY2F0aW9uIGZvciB1bnRydXN0ZWQNCiAgdXNlcnMN
Cg0KV2Ugd2lsbCBwcm92aWRlIHVwZGF0ZXMgdG8gdGhlIGNvbW11bml0eSBhcyBvdXIgaW52ZXN0
aWdhdGlvbiBvZiB0aGVzZQ0KcmVwb3J0cyBjb250aW51ZXMuDQoNCk1hcmsNCm9uIGJlaGFsZiBv
ZiB0aGUgQXBhY2hlIFRvbWNhdCBTZWN1cml0eSBUZWFtDQoNCg0KWzFdIGh0dHA6Ly9tYXJrbWFp
bC5vcmcvbWVzc2FnZS94cWZjaGViaXk2Zmptdmp6DQpbMl0gaHR0cHM6Ly9iei5hcGFjaGUub3Jn
L2J1Z3ppbGxhL3Nob3dfYnVnLmNnaT9pZD02MTU0Mg0KWzNdIGh0dHA6Ly90b21jYXQuYXBhY2hl
Lm9yZy9zZWN1cml0eS5odG1s