Looks like there are a couple of Apache Tomcat vulnerabilities that may affect UIM and UMP, up to version 8.51. On the us-gov.cert site, it states:
The Apache Foundation has released security updates to address vulnerabilities in Apache Tomcat. Exploitation of one of these vulnerabilities may allow a remote attacker to take control of an affected server.
US-CERT encourages users and administrators to review the Apache advisories for email@example.com%3e" rel="nofollow" style="color: #005ebd; border: 0px; font-weight: inherit; text-decoration: underline; font-size: inherit" target="_blank">CVE-2017-12615 and firstname.lastname@example.org%3e" rel="nofollow" style="color: #005ebd; border: 0px; font-weight: inherit; text-decoration: underline; font-size: inherit" target="_blank">CVE-2017-12616 for more information and apply the necessary updates.
Is the UMP and/or UIM affected by these? Versions 8.47 and 8.51, per the release notes, have a 3rd party agreement with Tomcat versions 4.1.31 and 7.0.69. The recommended fix is to upgrade to Apache Tomcat 7.0.81.
it looks like dev is trying to bundle Apache 7.0.81 with UIM 9.0 release.
Gene is correct - we plan to include 7.0.81 with UIM 9.0. Currently we have not seen any evidence that UIM/UMP are actually vulnerable to these exploits.
I was going through the release Doc of IM 9.0.2, I could see Tomact 7.0.69 mention under Third party Software agreements.
Wont the UIM version be still vulnerable?
Perfect! Thank you gents for the great info. I just received word from CA Support as well. I ask the following question:
Thanks for the info. You have confirmed that the UMP will be taken care of in the next release of the wasp. Is there an available ETA? And what about the UIM?
CA Response: "This vulnerability only affects UMP, since UMP uses wasp; it does not affect UIM. UIM/UMP 9.0 will be rolled out before the end of the year, but I do not have an exact ETA."
I recommend you to apply UMP-HF1 Patch . That state: A critical vulnerability was discovered in the Liferay framework within UMP 7.5-8.5.1. This vulnerability could allow a remote attacker to gain full control of a server running UMP.
Thanks for the info Hipolito! I was able to get this patch applied a couple of months ago. This vulnerability is related to Liferay. The one in question is for Apache Tomcat.
Can the UIM Dev team make an official announcement like the way the Spectrum group did:
CVE-2017-5638 - Struts 2 Vulnerability
I'm looking for a definitive answer to the Apache Vulnerabilities that were recently announced. That HF1 was for liferay and was released before these very recent announcements.
We need to know today if we are effected with the current 8.5.1 wasp version that's running in production.
There was a newer announcement recently here:
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the read-only initialization parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
My understanding is that Liferay uses Struts 1.2 and therefore is not affected.
Regarding CVE-2017-12617, I tested this and did not find that we are vulnerable in an OOTB installation.
I used https://github.com/cyberheartmi9/CVE-2017-12617/blob/master/tomcat-cve-2017-12617.py
My output was:
[root@ledda02-F8405 CVE-2017-12617]# ./CVE-2017-12617.py -u http://ledda02-F8355 _______ ________ ___ ___ __ ______ __ ___ __ __ ______ / ____\ \ / / ____| |__ \ / _ \/_ |____ | /_ |__ \ / //_ |____ | | | \ \ / /| |__ ______ ) | | | || | / /_____| | ) / /_ | | / / | | \ \/ / | __|______/ /| | | || | / /______| | / / '_ \| | / / | |____ \ / | |____ / /_| |_| || | / / | |/ /| (_) | | / / \_____| \/ |______| |____|\___/ |_|/_/ |_|____\___/|_|/_/ [@intx0x80] Poc Filename Poc.jsp Not Vulnerable to CVE-2017-12617
Thank you Dave for the follow up and update...