[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 1166-1] tomcat7 security update



Hi,

we experience some problems with this update as all apps can not be
found anymore. They seem to get deployed, but everything including the
root returns 404. Also there should be more logging from the app right
after deploying (if I look into old logs).
I tried running with the old JDK 1.6 but that doesn't make a difference.

A manual dpkg downgrade to 7.0.28-4+deb7u15 and all apps incl. root page
are back.

Is this issue known?

Thanks,
Felix

Here is the log, let me know if you need more info:


Nov 9, 2017 2:34:04 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.24 using APR
version 1.4.6.
Nov 9, 2017 2:34:04 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
[false], random [true].
Nov 9, 2017 2:34:04 PM org.apache.catalina.startup.SetAllPropertiesRule
begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'SSLHonorCipherOrder' to 'on' did not find a matching property.
Nov 9, 2017 2:34:04 PM org.apache.catalina.startup.SetAllPropertiesRule
begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
property 'SSLCompression' to 'off' did not find a matching property.
Nov 9, 2017 2:34:04 PM org.apache.catalina.core.AprLifecycleListener
initializeSSL
INFO: OpenSSL successfully initialized (OpenSSL 1.0.1c 10 May 2012)
Nov 9, 2017 2:34:05 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-8080"]
Nov 9, 2017 2:34:05 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-0.0.0.0-443"]
Nov 9, 2017 2:34:05 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 1409 ms
Nov 9, 2017 2:34:05 PM org.apache.catalina.core.StandardService
startInternal
INFO: Starting service Catalina
Nov 9, 2017 2:34:05 PM org.apache.catalina.core.StandardEngine startInternal
INFO: Starting Servlet Engine: Apache Tomcat/7.0.28
Nov 9, 2017 2:34:05 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive /var/lib/tomcat7/webapps/myapp.war
Nov 9, 2017 2:34:06 PM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive
/var/lib/tomcat7/webapps/myappTest.war
Nov 9, 2017 2:34:06 PM org.apache.catalina.startup.HostConfig
deployDirectory
INFO: Deploying web application directory /var/lib/tomcat7/webapps/ROOT
Nov 9, 2017 2:34:07 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-apr-8080"]
Nov 9, 2017 2:34:07 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-apr-0.0.0.0-443"]
Nov 9, 2017 2:34:07 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 1744 ms



On 07.11.2017 20:01, Roberto C. Sánchez wrote:
> Package        : tomcat7
> Version        : 7.0.28-4+deb7u16
> CVE ID         : CVE-2017-12617
> 
> 
> A remote code execution vulnerability has been discovered in tomcat7.
> 
> When HTTP PUT was enabled (e.g., via setting the readonly initialization
> parameter of the Default servlet to false) it was possible to upload a JSP
> file to the server via a specially crafted request. This JSP could then be
> requested and any code it contained would be executed by the server.
> 
> For Debian 7 "Wheezy", these problems have been fixed in version
> 7.0.28-4+deb7u16.
> 
> We recommend that you upgrade your tomcat7 packages.
> 
> Further information about Debian LTS security advisories, how to apply
> these updates to your system and frequently asked questions can be
> found at: https://wiki.debian.org/LTS
> 


Reply to: