Apache Tomcat Vulnerabilities

CVE-2017-12617

Apache Tomcat Remote Code Execution via JSP upload

This particular vulnerability allows for malicious attackers to upload and execute JSP files against a vulnerable Tomcat server.  It's listed as affecting versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled.  Note that while your version may be in this list, the vulnerability requires the following parameter be explicitly set in the default servlet web.xml file:

<init-param>
     <param-name>readonly</param-name>
     <param-value>false</param-value>
</init-param>
Yellowfin by default does NOT define this variable.  Searching the web.xml at /appserver/conf/web.xml will ensure your instance is not vulnerable.  
Is article helpful?