Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 631420 (CVE-2017-12616) - <www-servers/tomcat-7.0.81: Information disclosure
Summary: <www-servers/tomcat-7.0.81: Information disclosure
Status: RESOLVED FIXED
Alias: CVE-2017-12616
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Low minor (vote)
Assignee: Gentoo Security
URL: http://tomcat.apache.org/security-7.h...
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-19 13:46 UTC by Christopher Díaz Riveros (RETIRED)
Modified: 2017-10-19 22:36 UTC (History)
1 user (show)

See Also:
Package list:
=dev-java/tomcat-servlet-api-7.0.81 =www-servers/tomcat-7.0.81
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-19 13:46:45 UTC
CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP Upload

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 7.0.0 to 7.0.79

Description:
When running on Windows with HTTP PUTs enabled (e.g. via setting the
readonly initialisation parameter of the Default to false) it was
possible to upload a JSP file to the server via a specially crafted
request. This JSP could then be requested and any code it contained
would be executed by the server.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 7.0.81 or later (7.0.80 was not released)

Credit:
This issue was reported responsibly to the Apache Tomcat Security Team
by iswin from 360-sg-lab (360观星实验室)

History:
2017-09-19 Original advisory


----------------------------------------------------------------------

CVE-2017-12616 Apache Tomcat Information Disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 7.0.0 to 7.0.80

Description:
When using a VirtualDirContext it was possible to bypass security
constraints and/or view the source code of JSPs for resources served by
the VirtualDirContext using a specially crafted request.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 7.0.81

Credit:
This issue was identified by the Tomcat Security Team while
investigating CVE-2017-12615.

History:
2017-09-19 Original advisory
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-19 13:53:00 UTC
Changing Summary since we are not affected by CVE-2017-12615.

The fixed version is already in the tree.

@Maintainers, please call for stabilization when ready or let us know.

Gentoo Security Padawan
ChrisADR
Comment 2 Miroslav Šulc gentoo-dev 2017-09-19 14:10:25 UTC
i just marked =dev-java/tomcat-servlet-api-7.0.81 and =www-servers/tomcat-7.0.81 as stable on amd64. we just need to get it stable on x86 so that i could remove the affected version.
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-09-19 14:49:33 UTC
(In reply to Miroslav Šulc from comment #2)
> i just marked =dev-java/tomcat-servlet-api-7.0.81 and
> =www-servers/tomcat-7.0.81 as stable on amd64. we just need to get it stable
> on x86 so that i could remove the affected version.

Thank you,

@x86 please let us know when ready.

Gentoo Security Padawan
ChrisADR
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-19 01:30:52 UTC
x86 has never stable versions.

@maintainers, please clean =7.0.79
Comment 5 Miroslav Šulc gentoo-dev 2017-10-19 07:42:16 UTC
7.0.79 removed
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-19 11:30:22 UTC
(In reply to Aaron Bauman from comment #4)
> x86 has never stable versions.
> 
> @maintainers, please clean =7.0.79

s/never/newer

Thanks!
Comment 7 Thomas Deutschmann gentoo-dev 2017-10-19 11:46:35 UTC
x86 stable