Can the UIM Dev team make an official announcement like the way the Spectrum group did:
CVE-2017-5638 - Struts 2 Vulnerability
I'm looking for a definitive answer to the Apache Vulnerabilities that were recently announced. That HF1 was for liferay and was released before these very recent announcements.
We need to know today if we are effected with the current 8.5.1 wasp version that's running in production.
There was a newer announcement recently here:
CVE -CVE-2017-12617
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the read-only initialization parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.