==================================================================== CERT-Renater Note d'Information No. 2017/VULN264 _____________________________________________________________________ DATE : 20/09/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Tomcat versions 7 prior to 7.0.81. ===================================================================== http://mail-archives.apache.org/mod_mbox/tomcat-announce/201709.mbox/%3cde541c4a-55b1-a4d3-4fbe-f8e3800b920f@apache.org%3e http://mail-archives.apache.org/mod_mbox/tomcat-announce/201709.mbox/%3caa9ea974-9acf-e0af-c3d7-46830b45d9fe@apache.org%3e http://mail-archives.apache.org/mod_mbox/tomcat-announce/201709.mbox/%3c16df1f59-ea31-0789-f0c8-5432c60de8fc@apache.org%3e ____________________________________________________________________ CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP Upload Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 7.0.0 to 7.0.79 Description: When running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. Mitigation: Users of the affected versions should apply one of the following mitigations: - - Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released) Credit: This issue was reported responsibly to the Apache Tomcat Security Team by iswin from 360-sg-lab History: 2017-09-19 Original advisory References: [1] http://tomcat.apache.org/security-7.html ____________________________________________________________________ All, Following the announcement of CVE-2017-12615 [1], the Apache Tomcat Security Team has received multiple reports that a similar vulnerability exists in all current Tomcat versions and affects all operating systems. Unfortunately, one of these reports was made via the public bug tracker [2] rather than responsibly via the Tomcat Security Team's private mailing list [3]. We have not yet completed our investigation of these reports but, based on the volume, and our initial investigation they appear to be valid. >From an initial analysis of the reports received, the vulnerability only affects the following configurations: Default Servlet - Default Servlet configured with readonly="false" AND - Untrusted users are permitted to perform HTTP PUT requests WebDAV Servlet - WebDAV Servlet configured with readonly="false" AND - Untrusted users are permitted to perform HTTP PUT requests AND - The documented advice not to map the WebDAV servlet as the Default servlet has been ignored Please note that: - The WebDAV servlet is disabled by default - The default value for the readonly parameter is true for both the Default servlet and the WebDAV servlet Therefore, a default Tomcat installation is not affected by this potential vulnerability. Based on our understanding to date, the potential vulnerability may be mitigated by any of the following: - setting readonly to true for the Default servlet and WebDAV servlet - blocking HTTP methods that permit resource modification for untrusted users We will provide updates to the community as our investigation of these reports continues. Mark on behalf of the Apache Tomcat Security Team [1] http://markmail.org/message/xqfchebiy6fjmvjz [2] https://bz.apache.org/bugzilla/show_bug.cgi?id=61542 [3] http://tomcat.apache.org/security.html ____________________________________________________________________ CVE-2017-12616 Apache Tomcat Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 7.0.0 to 7.0.80 Description: When using a VirtualDirContext it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request. Mitigation: Users of the affected versions should apply one of the following mitigations: - - Upgrade to Apache Tomcat 7.0.81 Credit: This issue was identified by the Tomcat Security Team while investigating CVE-2017-12616. History: 2017-09-19 Original advisory References: [1] http://tomcat.apache.org/security-7.html ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================