CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0
Apache Tomcat 8.5.0 to 8.5.22
Apache Tomcat 8.0.0.RC1 to 8.0.46
Apache Tomcat 7.0.0 to 7.0.81
Description:
When running with HTTP PUTs enabled (e.g. via setting the readonly
initialisation parameter of the Default servlet to false) it was
possible to upload a JSP file to the server via a specially crafted
request. This JSP could then be requested and any code it contained
would be executed by the server.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.1 or later
- Upgrade to Apache Tomcat 8.5.23 or later
- Upgrade to Apache Tomcat 8.0.47 or later
- Upgrade to Apache Tomcat 7.0.82 or later
Credit:
This issue was first reported publicly followed by multiple reports to
the Apache Tomcat Security Team.
History:
2017-10-03 Original advisory
References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
'취약점 정보2' 카테고리의 다른 글
| Dnsmasq 업데이트 안내 (0) | 2017.10.10 |
|---|---|
| macOS High Sierra 10.13 Supplemental Update (0) | 2017.10.06 |
| Cisco 제품군 취약점 보안 업데이트 권고 (0) | 2017.09.28 |
| Apple(macOS Server, macOS, iCloud for Windows) 보안 업데이트 권고 (0) | 2017.09.28 |
| 다후아(Dahua) 녹화기 보안 업데이트 권고 (0) | 2017.09.28 |