The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Tomcat: code execution via HTTP PUT JSP File

Synthesis of the vulnerability 

An attacker can use a vulnerability via HTTP PUT JSP File of Apache Tomcat, in order to run code.
Impacted software: Tomcat, NetWorker, Fedora, ePO, RHEL, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***.
Severity of this computer vulnerability: 3/4.
Creation date: 19/09/2017.
Références of this announce: 504539, CERTFR-2017-AVI-314, CVE-2017-12615, ESA-2017-097, FEDORA-2017-ef7c118dbc, FEDORA-2017-f499ee7b12, RHSA-2017:3080-01, RHSA-2017:3081-01, RHSA-2017:3113-01, RHSA-2017:3114-01, RHSA-2018:0465-01, RHSA-2018:0466-01, SB10218, SUSE-SU-2017:3059-1, Synology-SA-17:54, VIGILANCE-VUL-23872.

Description of the vulnerability 

An attacker can use a vulnerability via HTTP PUT JSP File of Apache Tomcat, in order to run code.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This threat bulletin impacts software or systems such as Tomcat, NetWorker, Fedora, ePO, RHEL, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***.

Our Vigil@nce team determined that the severity of this computer threat bulletin is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer threat.

Solutions for this threat 

Apache Tomcat: version 7.0.81.
The version 7.0.81 is fixed:
  http://tomcat.apache.org/download-70.cgi

EMC NetWorker: solution for Apache Tomcat.
The solution is indicated in information sources.

Fedora: new tomcat packages.
New packages are available:
  Fedora 25: tomcat 8.0.47-1.fc25
  Fedora 26: tomcat 8.0.47-1.fc26

McAfee ePolicy Orchestrator: patch for Tomcat.
A patch is indicated in information sources.

Red Hat JBoss Web Server: patch.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=2.1.2

Red Hat JBoss Web Server: version 3.1.0 Service Pack 2.
The version 3.1.0 Service Pack 2 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=3.1

RHEL 6.9: new tomcat6 packages.
New packages are available:
  RHEL 6: tomcat6 6.0.24-111.el6_9

RHEL 7.4: new tomcat packages (30/10/2017).
New packages are available:
  RHEL 7: tomcat 7.0.76-3.el7_4

SUSE LE 12 RTM: new tomcat packages.
New packages are available:
  SUSE LE 12 RTM: tomcat 7.0.82-7.16.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides systems vulnerabilities alerts. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.