ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Abhay Kulkarni (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (RANGER-1797) Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Date Wed, 26 Sep 2018 20:55:00 GMT

    [ https://issues.apache.org/jira/browse/RANGER-1797?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16629394#comment-16629394
] 

Abhay Kulkarni commented on RANGER-1797:
----------------------------------------

ranger-0.7:

commit details:

https://git-wip-us.apache.org/repos/asf?p=ranger.git;a=commit;h=bb5e8590cc99c1d9f6fa2e6d91ab0f35a07f6a83

> Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade
to 7.0.82.
> ---------------------------------------------------------------------------------------------------
>
>                 Key: RANGER-1797
>                 URL: https://issues.apache.org/jira/browse/RANGER-1797
>             Project: Ranger
>          Issue Type: Bug
>          Components: admin
>    Affects Versions: 1.0.0, master
>            Reporter: peng.jianhua
>            Assignee: peng.jianhua
>            Priority: Major
>              Labels: patch
>             Fix For: 1.0.0, master
>
>         Attachments: 0001-RANGER-1797-Tomcat-Security-Vulnerability-Alert.-The.patch,
catalina.out
>
>
> 【Security Vulnerability Alert】Tomcat Information leakage and remote code execution
vulnerabilities.
> CVE ID:
> {code}
> CVE-2017-12615\CVE-2017-12616
> {code}
> Description
> {code}
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled,
it was possible to upload a JSP file to the server via a specially crafted request. This JSP
could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it
was possible to use a specially crafted request, bypass security constraints, or get the source
code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
> {code}
> Scope
> {code}
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
> {code}
> Solution
> {code}
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities
and recommends upgrading to the latest version.
> {code}
> Reference
> {code}
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message