Update: We believe we have a set of patches [1],[2] that addresses this for 9.0.x. The plan is to give folks ~12 hours to review the proposed patches and then back-port the patches, tag and release.
Further analysis has not identified any additional attack vectors or risks associated with this vulnerability. The recommended mitigations remain unchanged. Mark [1] http://svn.apache.org/viewvc?rev=1809011&view=rev [2] http://svn.apache.org/viewvc?rev=1809025&view=rev On 20/09/17 13:20, Mark Thomas wrote: > Update: > > The issue has been confirmed. > > CVE-2017-12617 has been allocated. > > The issue is not limited to PUT requests. For the Default servlet, > DELETE is known to be affected. For the WebDAV servlet DELETE, MOVE and > COPY are believed to be affected. > > The RCE via JSP upload using PUT is still believed to be the most severe > impact of this vulnerability. > > The recommended mitigations remain unchanged. > > Mark > > > On 20/09/17 09:25, Mark Thomas wrote: >> All, >> >> Following the announcement of CVE-2017-12615 [1], the Apache Tomcat >> Security Team has received multiple reports that a similar vulnerability >> exists in all current Tomcat versions and affects all operating systems. >> >> Unfortunately, one of these reports was made via the public bug tracker >> [2] rather than responsibly via the Tomcat Security Team's private >> mailing list [3]. >> >> We have not yet completed our investigation of these reports but, based >> on the volume, and our initial investigation they appear to be valid. >> >> From an initial analysis of the reports received, the vulnerability only >> affects the following configurations: >> >> Default Servlet >> - Default Servlet configured with readonly="false" >> AND >> - Untrusted users are permitted to perform HTTP PUT requests >> >> WebDAV Servlet >> - WebDAV Servlet configured with readonly="false" >> AND >> - Untrusted users are permitted to perform HTTP PUT requests >> AND >> - The documented advice not to map the WebDAV servlet as the Default >> servlet has been ignored >> >> Please note that: >> - The WebDAV servlet is disabled by default >> - The default value for the readonly parameter is true for both the >> Default servlet and the WebDAV servlet >> >> Therefore, a default Tomcat installation is not affected by this >> potential vulnerability. >> >> Based on our understanding to date, the potential vulnerability may be >> mitigated by any of the following: >> - setting readonly to true for the Default servlet and WebDAV servlet >> - blocking HTTP methods that permit resource modification for untrusted >> users >> >> We will provide updates to the community as our investigation of these >> reports continues. >> >> Mark >> on behalf of the Apache Tomcat Security Team >> >> >> [1] http://markmail.org/message/xqfchebiy6fjmvjz >> [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542 >> [3] http://tomcat.apache.org/security.html >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org