Update: The review did not identify any further security concerns but it did identify a handful of places where the code could benefit from some clean-up. This clean-up makes the purpose of the code clearer and eases future maintenance in this security-relevant area of the code base.
The clean-up has been implemented and reviewed. Back-ports have been completed for 8.5.x and 8.0.x. 7.0.x is in progress but requires a little more time as 7.0.x uses the JNDI based resources implementation that was replaced in 8.0.x onwards. The current expectation is that the releases will be tagged and votes started later today. Mark On 20/09/17 17:37, Mark Thomas wrote: > Update: > > We believe we have a set of patches [1],[2] that addresses this for > 9.0.x. The plan is to give folks ~12 hours to review the proposed > patches and then back-port the patches, tag and release. > > Further analysis has not identified any additional attack vectors or > risks associated with this vulnerability. > > The recommended mitigations remain unchanged. > > Mark > > > [1] http://svn.apache.org/viewvc?rev=1809011&view=rev > [2] http://svn.apache.org/viewvc?rev=1809025&view=rev > > > On 20/09/17 13:20, Mark Thomas wrote: >> Update: >> >> The issue has been confirmed. >> >> CVE-2017-12617 has been allocated. >> >> The issue is not limited to PUT requests. For the Default servlet, >> DELETE is known to be affected. For the WebDAV servlet DELETE, MOVE and >> COPY are believed to be affected. >> >> The RCE via JSP upload using PUT is still believed to be the most severe >> impact of this vulnerability. >> >> The recommended mitigations remain unchanged. >> >> Mark >> >> >> On 20/09/17 09:25, Mark Thomas wrote: >>> All, >>> >>> Following the announcement of CVE-2017-12615 [1], the Apache Tomcat >>> Security Team has received multiple reports that a similar vulnerability >>> exists in all current Tomcat versions and affects all operating systems. >>> >>> Unfortunately, one of these reports was made via the public bug tracker >>> [2] rather than responsibly via the Tomcat Security Team's private >>> mailing list [3]. >>> >>> We have not yet completed our investigation of these reports but, based >>> on the volume, and our initial investigation they appear to be valid. >>> >>> From an initial analysis of the reports received, the vulnerability only >>> affects the following configurations: >>> >>> Default Servlet >>> - Default Servlet configured with readonly="false" >>> AND >>> - Untrusted users are permitted to perform HTTP PUT requests >>> >>> WebDAV Servlet >>> - WebDAV Servlet configured with readonly="false" >>> AND >>> - Untrusted users are permitted to perform HTTP PUT requests >>> AND >>> - The documented advice not to map the WebDAV servlet as the Default >>> servlet has been ignored >>> >>> Please note that: >>> - The WebDAV servlet is disabled by default >>> - The default value for the readonly parameter is true for both the >>> Default servlet and the WebDAV servlet >>> >>> Therefore, a default Tomcat installation is not affected by this >>> potential vulnerability. >>> >>> Based on our understanding to date, the potential vulnerability may be >>> mitigated by any of the following: >>> - setting readonly to true for the Default servlet and WebDAV servlet >>> - blocking HTTP methods that permit resource modification for untrusted >>> users >>> >>> We will provide updates to the community as our investigation of these >>> reports continues. >>> >>> Mark >>> on behalf of the Apache Tomcat Security Team >>> >>> >>> [1] http://markmail.org/message/xqfchebiy6fjmvjz >>> [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542 >>> [3] http://tomcat.apache.org/security.html >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
