[RANGER-1797] Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.0.0, master
Fix Version/s: 1.0.0, master
Component/s: admin
Labels:
- patch

Flags:

Patch, Important

Description

【Security Vulnerability Alert】Tomcat Information leakage and remote code execution vulnerabilities.
CVE ID:

CVE-2017-12615\CVE-2017-12616

Description

CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.

Scope

CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80

Solution

The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.

Reference

https://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

0001-RANGER-1797-Tomcat-Security-Vulnerability-Alert.-The.patch
22/Sep/17 07:58
0.9 kB
peng.jianhua
catalina.out
30/Nov/17 09:40
3 kB
Vishal Suvagia

Issue Links

links to

https://reviews.apache.org/r/62495/

Activity

People

Assignee:: peng.jianhua

Reporter:: peng.jianhua

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 22/Sep/17 06:14

Updated:: 26/Sep/18 20:54

Resolved:: 06/Dec/17 02:26