DX Infrastructure Manager

Expand all | Collapse all

Apache Tomcat Vulnerabilities

  • 1.  Apache Tomcat Vulnerabilities

    Posted 09-20-2017 08:53 PM

    Hi,

     

    Looks like there are a couple of Apache Tomcat vulnerabilities that may affect UIM and UMP, up to version 8.51.  On the us-gov.cert site, it states:

     

    The Apache Foundation has released security updates to address vulnerabilities in Apache Tomcat. Exploitation of one of these vulnerabilities may allow a remote attacker to take control of an affected server. 

    US-CERT encourages users and administrators to review the Apache advisories for 3cde541c4a-55b1-a4d3-4fbe-f8e3800b920f@apache.org%3e" rel="nofollow" style="color: #005ebd; border: 0px; font-weight: inherit; text-decoration: underline; font-size: inherit" target="_blank">CVE-2017-12615 and 3c16df1f59-ea31-0789-f0c8-5432c60de8fc@apache.org%3e" rel="nofollow" style="color: #005ebd; border: 0px; font-weight: inherit; text-decoration: underline; font-size: inherit" target="_blank">CVE-2017-12616 for more information and apply the necessary updates.

    Is the UMP and/or UIM affected by these?  Versions 8.47 and 8.51, per the release notes, have a 3rd party agreement with Tomcat versions 4.1.31 and 7.0.69.  The recommended fix is to upgrade to Apache Tomcat 7.0.81. 

     



  • 2.  Re: Apache Tomcat Vulnerabilities

    Posted 09-21-2017 12:03 PM

    it looks like dev is trying to bundle Apache 7.0.81 with UIM 9.0 release.



  • 3.  Re: Apache Tomcat Vulnerabilities

    Posted 09-21-2017 12:03 PM

    Gene is correct - we plan to include 7.0.81 with UIM 9.0.  Currently we have not seen any evidence that UIM/UMP are actually vulnerable to these exploits.



  • 4.  Re: Apache Tomcat Vulnerabilities

    Posted 11-29-2018 06:01 AM

    Hi Jason,

     

    I was going through the release Doc of IM 9.0.2, I could see Tomact 7.0.69 mention under Third party Software agreements.

     

    Wont the UIM version be still vulnerable?

     

    Regards,

    Saju Mathew



  • 5.  Re: Apache Tomcat Vulnerabilities

    Posted 09-21-2017 12:18 PM

    Perfect!  Thank you gents for the great info.  I just received word from CA Support as well. I ask the following question:

     

    Thanks for the info.  You have confirmed that the UMP will be taken care of in the next release of the wasp.  Is there an available ETA? And what about the UIM?

     

    CA Response:  "This vulnerability only affects UMP, since UMP uses wasp; it does not affect UIM.  UIM/UMP 9.0 will be rolled out before the end of the year, but I do not have an exact ETA."



  • 6.  Re: Apache Tomcat Vulnerabilities

    Posted 09-21-2017 04:09 PM

    Hello Christopher

    I recommend you to apply UMP-HF1 Patch . That state:
    A critical vulnerability was discovered in the Liferay framework within UMP 7.5-8.5.1. This vulnerability could allow a remote attacker to gain full control of a server running UMP.

    Regards
    Hipólito



  • 7.  Re: Apache Tomcat Vulnerabilities

    Posted 09-21-2017 04:16 PM

    Thanks for the info Hipolito!  I was able to get this patch applied a couple of months ago. This vulnerability is related to Liferay.  The one in question is for Apache Tomcat.

     

    Thanks,

    Chris A.



  • 8.  Re: Apache Tomcat Vulnerabilities

    Posted 10-09-2017 03:11 PM

    Can the UIM Dev team make an official announcement like the way the Spectrum group did:

    CVE-2017-5638 - Struts 2 Vulnerability 

     

    I'm looking for a definitive answer to the Apache Vulnerabilities that were recently announced. That HF1 was for liferay and was released before these very recent announcements. 

     

    We need to know today if we are effected with the current 8.5.1 wasp version that's running in production.

    There was a newer announcement recently here:

    CVE -CVE-2017-12617 

    When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the read-only initialization parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.



  • 9.  Re: Apache Tomcat Vulnerabilities

    Posted 10-27-2017 12:42 PM

    Daniel,

     

    My understanding is that Liferay uses Struts 1.2 and therefore is not affected.

     

    Regarding CVE-2017-12617, I tested this and did not find that we are vulnerable in an OOTB installation.

    I used https://github.com/cyberheartmi9/CVE-2017-12617/blob/master/tomcat-cve-2017-12617.py

     

    My output was:

    [root@ledda02-F8405 CVE-2017-12617]# ./CVE-2017-12617.py -u http://ledda02-F8355   _______ ________ ___ ___ __ ______ __ ___ __ __ ______  / ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ |  | | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / /  | | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / /  | |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / /  \_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/    [@intx0x80]   Poc Filename Poc.jsp  Not Vulnerable to CVE-2017-12617


  • 10.  Re: Apache Tomcat Vulnerabilities

    Posted 10-27-2017 02:25 PM

    Thank you Dave for the follow up and update...