ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From vishal suvagia <vishalsuva...@yahoo.com.INVALID>
Subject Fw: Regarding upgrading of Tomcat [SECURITY] Apache Tomcat Possible additional RCE via JSP upload
Date Wed, 27 Sep 2017 05:45:57 GMT
Hi All,         FYI, Please find below mail from Mark a member of Apache Tomcat security
team.
         Looks like Tomcat team is working on fixing the CVE issues.
         For the same issue RANGER-1797 is created (to upgrade to Tomcat 7.0.81 which
also seems to be vulnerable.), can we please evaluate the risks of               
 updating Tomcat version.

Thanks
Vishal Suvagia.
-----------------------------------------------------------------------------------------------------------


On Wednesday, 20 September 2017 2:41 PM, Mark Thomas <markt@apache.org> wrote:


All,

Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
Security Team has received multiple reports that a similar vulnerability
exists in all current Tomcat versions and affects all operating systems.

Unfortunately, one of these reports was made via the public bug tracker
[2] rather than responsibly via the Tomcat Security Team's private
mailing list [3].

We have not yet completed our investigation of these reports but, based
on the volume, and our initial investigation they appear to be valid.

>From an initial analysis of the reports received, the vulnerability only
affects the following configurations:

Default Servlet
- Default Servlet configured with readonly="false"
  AND
- Untrusted users are permitted to perform HTTP PUT requests

WebDAV Servlet
- WebDAV Servlet configured with readonly="false"
  AND
- Untrusted users are permitted to perform HTTP PUT requests
  AND
- The documented advice not to map the WebDAV servlet as the Default
  servlet has been ignored

Please note that:
 - The WebDAV servlet is disabled by default
 - The default value for the readonly parameter is true for both the
  Default servlet and the WebDAV servlet

Therefore, a default Tomcat installation is not affected by this
potential vulnerability.

Based on our understanding to date, the potential vulnerability may be
mitigated by any of the following:
- setting readonly to true for the Default servlet and WebDAV servlet
- blocking HTTP methods that permit resource modification for untrusted
  users

We will provide updates to the community as our investigation of these
reports continues.

Mark
on behalf of the Apache Tomcat Security Team


[1] http://markmail.org/message/xqfchebiy6fjmvjz
[2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
[3] http://tomcat.apache.org/security.html


   
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message