by Chris Brook September 10, 2014
Some older versions of the open source Apache Tomcat web server and servlet container, are vulnerable to remote code execution.
In what Mark Thomas, a longtime Apache Tomcat committer, calls “limited circumstances,” a user could upload malicious JavaServer Pages (JSP) to a server running Tomcat, and then later trigger the execution of that JSP. JSP shells can be used to execute arbitrary commands on the server.
Versions 7.0.0 to 7.0.39 should be considered vulnerable until patched, Thomas warned today.
Exploiting the vulnerability (CVE-2014-4444) - dug up last week by Pierre Ernst at VMware’s Security Engineering, Communications and Response Group (vSECR) – is easier said than done according to Apache officials.
Full Article
Apache Warns of Tomcat Remote Code Execution Vulnerability
Userlevel 7
+54
Userlevel 7
It would seem to me the manufacturer of these serves would keep up on patches to prevent this, or they just don't care???
Reply
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.