Mark, Do you know if tomcat 5.x and 6.x are vulnerable to this issue? I know they are not supported, but are they exploitable by this vulnerability?
Thx Mike On 3 October 2017 at 11:55, Mark Thomas <ma...@apache.org> wrote: > CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > Apache Tomcat 9.0.0.M1 to 9.0.0 > Apache Tomcat 8.5.0 to 8.5.22 > Apache Tomcat 8.0.0.RC1 to 8.0.46 > Apache Tomcat 7.0.0 to 7.0.81 > > Description: > When running with HTTP PUTs enabled (e.g. via setting the readonly > initialisation parameter of the Default servlet to false) it was > possible to upload a JSP file to the server via a specially crafted > request. This JSP could then be requested and any code it contained > would be executed by the server. > > Mitigation: > Users of the affected versions should apply one of the following > mitigations: > - Upgrade to Apache Tomcat 9.0.1 or later > - Upgrade to Apache Tomcat 8.5.23 or later > - Upgrade to Apache Tomcat 8.0.47 or later > - Upgrade to Apache Tomcat 7.0.82 or later > > Credit: > This issue was first reported publicly followed by multiple reports to > the Apache Tomcat Security Team. > > History: > 2017-10-03 Original advisory > > References: > [1] http://tomcat.apache.org/security-9.html > [2] http://tomcat.apache.org/security-8.html > [3] http://tomcat.apache.org/security-7.html > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
