Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Member
Posts: 124
Registered: ‎04-24-2015
Kudos: 28
Solutions: 4
Accepted Solution

CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0
Apache Tomcat 8.5.0 to 8.5.22
Apache Tomcat 8.0.0.RC1 to 8.0.46
Apache Tomcat 7.0.0 to 7.0.81

While I'm on Unifi 5.6.7 it look likes it's running a vurnable version  tomcat-embed-core-7.0.78.jar

 

more info: http://mail-archives.apache.org/mod_mbox/www-announce/201710.mbox/%3Cf7229e11-5e8d-aa00-ff22-f0a7956...


Accepted Solutions
Ubiquiti Employee
Posts: 7,053
Registered: ‎01-28-2013
Kudos: 8351
Solutions: 574
Contributions: 20

Re: CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

[ Edited ]

I'm not entirely sure if we are actually affected by this given our implementation. Although I definitely could be mistaken, so don't quote me on that.

 

More importantly we are preparing versions with an updated/patched Tomcat version. Both 5.5.25 and 5.6.19 will bundle 7.0.82. They may at least hit beta at latest by end of week, if not earlier.

 

Cheers,

Mike

View solution in original post


All Replies
Member
Posts: 124
Registered: ‎04-24-2015
Kudos: 28
Solutions: 4

Re: CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

And there's already a proof of concept expoit for this:

 

https://github.com/cyberheartmi9/CVE-2017-12617

Member
Posts: 124
Registered: ‎04-24-2015
Kudos: 28
Solutions: 4

Re: CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

Is there really no one from UBNT picking this up?

Ubiquiti Employee
Posts: 7,053
Registered: ‎01-28-2013
Kudos: 8351
Solutions: 574
Contributions: 20

Re: CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

[ Edited ]

I'm not entirely sure if we are actually affected by this given our implementation. Although I definitely could be mistaken, so don't quote me on that.

 

More importantly we are preparing versions with an updated/patched Tomcat version. Both 5.5.25 and 5.6.19 will bundle 7.0.82. They may at least hit beta at latest by end of week, if not earlier.

 

Cheers,

Mike

Member
Posts: 124
Registered: ‎04-24-2015
Kudos: 28
Solutions: 4

Re: CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

thanks mate!
Ubiquiti Employee
Posts: 7,053
Registered: ‎01-28-2013
Kudos: 8351
Solutions: 574
Contributions: 20

Re: CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload


edekkers wrote:
thanks mate!

You're welcome!

 

Cheers,

Mike

Reply