Environment
iManager 3.0.2
iManager 2.7 SP7 Patch 11 (2.77.11)
iManager 2.7 SP7 Patch 11 (2.77.11)
Situation
Apache Tomcat has been found to be prone to a remote code-execution vulnerability. Since iManager both ships and uses Tomcat there are questions as to whether iManager is vulnerable.
Description:
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Description:
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Resolution
iManger is not impacted by the Tomcat vulnerability, CVE-2017-12617, in either 2.7 SP7 nor the 3.x versions.
iManager does not explicitly set the read-only to false on the default tomcat servlet and retains its default value of TRUE.
iManager does not explicitly set the read-only to false on the default tomcat servlet and retains its default value of TRUE.