A vulnerability was discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution (CVE-2017-12615 and CVE-2017-12617). The issue is fixed upstream in 7.0.82 and 8.0.47. Mageia 6 (tomcat 8) and Mageia 5 (tomcat 7) are also affected.
Whiteboard: (none) => MGA6TOO MGA5TOOQA Contact: (none) => securityAssignee: bugsquad => geiger.david68210
Fixed for Cauldron, mga6 and mga5!
Thanks David! CVE-2017-12615 was actually fixed in the previous update (Bug 21714). Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=8307#c17 Advisory: ======================== Updated tomcat packages fix security vulnerability: When running with HTTP PUTs enabled (e.g. via setting the readonly initialization parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server (CVE-2017-12617). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.47 ======================== Updated packages in core/updates_testing: ======================== tomcat-7.0.82-1.mga5 tomcat-admin-webapps-7.0.82-1.mga5 tomcat-docs-webapp-7.0.82-1.mga5 tomcat-javadoc-7.0.82-1.mga5 tomcat-jsvc-7.0.82-1.mga5 tomcat-jsp-2.2-api-7.0.82-1.mga5 tomcat-lib-7.0.82-1.mga5 tomcat-servlet-3.0-api-7.0.82-1.mga5 tomcat-el-2.2-api-7.0.82-1.mga5 tomcat-webapps-7.0.82-1.mga5 tomcat-8.0.47-1.mga6 tomcat-admin-webapps-8.0.47-1.mga6 tomcat-docs-webapp-8.0.47-1.mga6 tomcat-javadoc-8.0.47-1.mga6 tomcat-jsvc-8.0.47-1.mga6 tomcat-jsp-2.3-api-8.0.47-1.mga6 tomcat-lib-8.0.47-1.mga6 tomcat-servlet-3.1-api-8.0.47-1.mga6 tomcat-el-3.0-api-8.0.47-1.mga6 tomcat-webapps-8.0.47-1.mga6 from SRPMS: tomcat-7.0.82-1.mga5.src.rpm tomcat-8.0.47-1.mga6.src.rpm
Summary: tomcat new security issues CVE-2017-12615 and CVE-2017-12617 => tomcat new security issue CVE-2017-12617Whiteboard: MGA6TOO MGA5TOO => MGA5TOOKeywords: (none) => has_procedureAssignee: geiger.david68210 => qa-bugsVersion: Cauldron => 6
MGA5-32 on Asus A6000VM Xfce No installation issues. This was an update to an existing previous tomcat installation. Exercised a whole range of examples as per bug 8307 Comment 17. All work OK.
CC: (none) => herman.viaeneWhiteboard: MGA5TOO => MGA5TOO MGA5-32-OK
Keywords: (none) => advisory
Testing M6/64 using https://bugs.mageia.org/show_bug.cgi?id=21714#c3 Already installed, updated to: - tomcat-8.0.47-1.mga6.noarch - tomcat-admin-webapps-8.0.47-1.mga6.noarch - tomcat-el-3.0-api-8.0.47-1.mga6.noarch - tomcat-jsp-2.3-api-8.0.47-1.mga6.noarch - tomcat-jsvc-8.0.47-1.mga6.noarch - tomcat-lib-8.0.47-1.mga6.noarch - tomcat-servlet-3.1-api-8.0.47-1.mga6.noarch - tomcat-webapps-8.0.47-1.mga6.noarch Ensured /etc/tomcat/tomcat-users.xml had the following lines: <role rolename="admin-gui"/> <role rolename="manager-gui"/> <user username="..." password="..." roles="manager-gui,admin-gui"/> # systemctl restart tomcat http://localhost:8080/ showed "Apache Tomcat/8.0.47" 'server status' button 1st use asked for user/password. Result sensible. 'manager app' button showed correct screen. 'host manager' button 1st use asked for user/password. Result sensible. The equivalent direct links: http://localhost:8080/manager/status http://localhost:8080/manager/html http://localhost:8080/host-manager/html also worked as per the buttons on the home page. Tried many of the applications. They mostly worked, but some groups yielded: "HTTP Status 500 - The absolute uri: http://java.sun.com/jsp/jstl/core cannot be resolved in either web.xml or the jar files deployed with this application" which has become normal. OK for M6/64.
Whiteboard: MGA5TOO MGA5-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OKCC: (none) => lewyssmith
RedHat has issued an advisory for this on October 29: https://access.redhat.com/errata/RHSA-2017:3081
MGA6-32 on Asus A6000VM MATE No installation issues. This fresh tomcat installation. Edited tomcat users as per bug 8307 Comment 17. Exercised a whole range of examples as per bug 8307 Comment 17. All work OK.
Whiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA6-64-OK MGA6-32-OK
Testing M5/64 Updated existing installation to: - tomcat-7.0.82-1.mga5.noarch - tomcat-admin-webapps-7.0.82-1.mga5.noarch - tomcat-el-2.2-api-7.0.82-1.mga5.noarch - tomcat-jsp-2.2-api-7.0.82-1.mga5.noarch - tomcat-lib-7.0.82-1.mga5.noarch - tomcat-servlet-3.0-api-7.0.82-1.mga5.noarch - tomcat-webapps-7.0.82-1.mga5.noarch with the usual provisons that /etc/tomcat/tomcat-users.xml had the following lines: <role rolename="admin-gui"/> <role rolename="manager-gui"/> <user username="..." password="..." roles="manager-gui,admin-gui"/> and # systemctl restart tomcat http://localhost:8080/ showed correctly "Apache Tomcat/7.0.82" Otherwise tests as per comment 4 were the same, correct. OK.
Keywords: (none) => validated_updateWhiteboard: MGA5TOO MGA5-32-OK MGA6-64-OK MGA6-32-OK => MGA5TOO MGA5-32-OK MGA6-64-OK MGA6-32-OK MGA5-64-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0400.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED