The Apache Software Foundation has released Apache Tomcat 9.0.1 and 8.5.23 to address the CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload vulnerability in previous versions of the software. A remote attacker could exploit this vulnerability where when running with HTTP PUTs enabled (e.g. via setting the readonly initialization parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server and then proceed to take control of an affected server.
Users and administrators are to review the Apache security advisory for CVE-2017-12617 and apply the necessary updates
Apple Releases iOS 11.0.2
Apple has also released iOS 11.0.2 to address vulnerabilities in previous versions of iOS. Exploitation of some of these vulnerabilities could allow a remote attacker to take control of an affected system.
Users are advised to be watchful for various malicious cyber activity targeting both victims and potential donors in the wake of Sunday’s tragic event in Las Vegas.
Watch Out For Las Vegas Scams
Internet users are advised to exercise caution when handling emails that relate to the event, even if those emails appear to originate from trusted sources. Event-related phishing emails may trick users into sharing sensitive information. Such emails could also contain links or attachments directing users to malware-infected websites. In addition, users should be wary of social media pleas, calls, texts, fraudulent donation websites, and door-to-door solicitations relating to the recent tragic event.
To avoid becoming victims of fraudulent activity, users and administrators should consider taking the following preventive measures:
- Review information from the Federal Trade Commission on Charity Giving, which includes links to check if charity organizations are legitimate.
- Use caution when opening email attachments, and do not click on links in unsolicited email messages. Refer to the US-CERT Tip on Using Caution with Email Attachments.
- Refer to US-CERT’s Tip on Avoiding Social Engineering and Phishing Attacks.