Bug 21933 - tomcat new security issue CVE-2017-12617
Summary: tomcat new security issue CVE-2017-12617
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK MGA6-32...
Keywords: advisory, has_procedure, validated_update
Depends on:
Blocks:
 
Reported: 2017-10-25 23:00 CEST by David GEIGER
Modified: 2017-11-02 22:48 CET (History)
3 users (show)

See Also:
Source RPM: tomcat-8.0.46-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David GEIGER 2017-10-25 23:00:51 CEST
A vulnerability was discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution (CVE-2017-12615 and CVE-2017-12617).

The issue is fixed upstream in 7.0.82 and 8.0.47.


Mageia 6 (tomcat 8) and Mageia 5 (tomcat 7) are also affected.
David GEIGER 2017-10-25 23:02:59 CEST

Whiteboard: (none) => MGA6TOO MGA5TOO
QA Contact: (none) => security
Assignee: bugsquad => geiger.david68210

Comment 1 David GEIGER 2017-10-25 23:13:05 CEST
Fixed for Cauldron, mga6 and mga5!
Comment 2 David Walser 2017-10-26 17:35:27 CEST
Thanks David!

CVE-2017-12615 was actually fixed in the previous update (Bug 21714).

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=8307#c17

Advisory:
========================

Updated tomcat packages fix security vulnerability:

When running with HTTP PUTs enabled (e.g. via setting the readonly
initialization parameter of the Default servlet to false) it was possible to
upload a JSP file to the server via a specially crafted request. This JSP could
then be requested and any code it contained would be executed by the server
(CVE-2017-12617).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.47
========================

Updated packages in core/updates_testing:
========================
tomcat-7.0.82-1.mga5
tomcat-admin-webapps-7.0.82-1.mga5
tomcat-docs-webapp-7.0.82-1.mga5
tomcat-javadoc-7.0.82-1.mga5
tomcat-jsvc-7.0.82-1.mga5
tomcat-jsp-2.2-api-7.0.82-1.mga5
tomcat-lib-7.0.82-1.mga5
tomcat-servlet-3.0-api-7.0.82-1.mga5
tomcat-el-2.2-api-7.0.82-1.mga5
tomcat-webapps-7.0.82-1.mga5
tomcat-8.0.47-1.mga6
tomcat-admin-webapps-8.0.47-1.mga6
tomcat-docs-webapp-8.0.47-1.mga6
tomcat-javadoc-8.0.47-1.mga6
tomcat-jsvc-8.0.47-1.mga6
tomcat-jsp-2.3-api-8.0.47-1.mga6
tomcat-lib-8.0.47-1.mga6
tomcat-servlet-3.1-api-8.0.47-1.mga6
tomcat-el-3.0-api-8.0.47-1.mga6
tomcat-webapps-8.0.47-1.mga6

from SRPMS:
tomcat-7.0.82-1.mga5.src.rpm
tomcat-8.0.47-1.mga6.src.rpm

Summary: tomcat new security issues CVE-2017-12615 and CVE-2017-12617 => tomcat new security issue CVE-2017-12617
Whiteboard: MGA6TOO MGA5TOO => MGA5TOO
Keywords: (none) => has_procedure
Assignee: geiger.david68210 => qa-bugs
Version: Cauldron => 6

Comment 3 Herman Viaene 2017-10-27 11:06:23 CEST
MGA5-32 on Asus A6000VM Xfce
No installation issues.
This was an update to an existing previous tomcat installation.
Exercised  a whole range of examples as per bug 8307 Comment 17. All work OK.

CC: (none) => herman.viaene
Whiteboard: MGA5TOO => MGA5TOO MGA5-32-OK

Lewis Smith 2017-10-29 21:19:51 CET

Keywords: (none) => advisory

Comment 4 Lewis Smith 2017-10-29 21:55:14 CET
Testing M6/64 using https://bugs.mageia.org/show_bug.cgi?id=21714#c3

Already installed, updated to:
- tomcat-8.0.47-1.mga6.noarch
- tomcat-admin-webapps-8.0.47-1.mga6.noarch
- tomcat-el-3.0-api-8.0.47-1.mga6.noarch
- tomcat-jsp-2.3-api-8.0.47-1.mga6.noarch
- tomcat-jsvc-8.0.47-1.mga6.noarch
- tomcat-lib-8.0.47-1.mga6.noarch
- tomcat-servlet-3.1-api-8.0.47-1.mga6.noarch
- tomcat-webapps-8.0.47-1.mga6.noarch

Ensured /etc/tomcat/tomcat-users.xml had the following lines:
 <role rolename="admin-gui"/>
 <role rolename="manager-gui"/>
 <user username="..." password="..." roles="manager-gui,admin-gui"/>

 # systemctl restart tomcat

 http://localhost:8080/ showed "Apache Tomcat/8.0.47"
'server status' button 1st use asked for user/password. Result sensible.
'manager app' button showed correct screen.
'host manager' button 1st use asked for user/password. Result sensible.

The equivalent direct links:
 http://localhost:8080/manager/status
 http://localhost:8080/manager/html
 http://localhost:8080/host-manager/html
also worked as per the buttons on the home page.

Tried many of the applications. They mostly worked, but some groups yielded:
"HTTP Status 500 - The absolute uri: http://java.sun.com/jsp/jstl/core cannot be resolved in either web.xml or the jar files deployed with this application"
which has become normal.

OK for M6/64.

Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK
CC: (none) => lewyssmith

Comment 5 David Walser 2017-10-31 14:51:55 CET
RedHat has issued an advisory for this on October 29:
https://access.redhat.com/errata/RHSA-2017:3081
Comment 6 Herman Viaene 2017-11-02 10:20:35 CET
MGA6-32 on Asus A6000VM MATE
No installation issues.
This fresh tomcat installation. Edited tomcat users as per bug 8307 Comment 17.
Exercised  a whole range of examples as per bug 8307 Comment 17. All work OK.

Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA6-64-OK MGA6-32-OK

Comment 7 Lewis Smith 2017-11-02 12:04:58 CET
Testing M5/64

Updated existing installation to:
- tomcat-7.0.82-1.mga5.noarch
- tomcat-admin-webapps-7.0.82-1.mga5.noarch
- tomcat-el-2.2-api-7.0.82-1.mga5.noarch
- tomcat-jsp-2.2-api-7.0.82-1.mga5.noarch
- tomcat-lib-7.0.82-1.mga5.noarch
- tomcat-servlet-3.0-api-7.0.82-1.mga5.noarch
- tomcat-webapps-7.0.82-1.mga5.noarch

with the usual provisons that /etc/tomcat/tomcat-users.xml had the following lines:
 <role rolename="admin-gui"/>
 <role rolename="manager-gui"/>
 <user username="..." password="..." roles="manager-gui,admin-gui"/>
and
 # systemctl restart tomcat

 http://localhost:8080/ showed correctly "Apache Tomcat/7.0.82"
Otherwise tests as per comment 4 were the same, correct. OK.

Keywords: (none) => validated_update
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK MGA6-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK MGA6-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 8 Mageia Robot 2017-11-02 22:48:07 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0400.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.