Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-1797

Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.0.0, master
    • Fix Version/s: 1.0.0, master
    • Component/s: admin
    • Labels:
    • Flags:
      Patch, Important

      Description

      【Security Vulnerability Alert】Tomcat Information leakage and remote code execution vulnerabilities.
      CVE ID:

      CVE-2017-12615\CVE-2017-12616
      

      Description

      CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled, it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
      CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it was possible to use a specially crafted request, bypass security constraints, or get the source code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
      

      Scope

      CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
      CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
      

      Solution

      The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities and recommends upgrading to the latest version.
      

      Reference

      https://tomcat.apache.org/security-7.html
      http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
      https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
      

        Attachments

        1. 0001-RANGER-1797-Tomcat-Security-Vulnerability-Alert.-The.patch
          0.9 kB
          peng.jianhua
        2. catalina.out
          3 kB
          Vishal Suvagia

          Activity

            People

            • Assignee:
              peng.jianhua peng.jianhua
              Reporter:
              peng.jianhua peng.jianhua
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: