製品・ソフトウェアに関する情報

JVN脆弱性詳細

Apache Tomcat における危険なタイプのファイルの無制限アップロードに関する脆弱性

Title	Apache Tomcat における危険なタイプのファイルの無制限アップロードに関する脆弱性
Summary	Apache Tomcat には、危険なタイプのファイルの無制限アップロードに関する脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Oct. 3, 2017, midnight
Registration Date	Oct. 31, 2017, 5:15 p.m.
Last Update	Dec. 11, 2017, 5:15 p.m.

CVSS3.0 : 重要
Score	8.1
Vector	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS2.0 : 警告
Score	6.8
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:P

Affected System

Apache Software Foundation

Apache Tomcat 7.0.0 から 7.0.81

Apache Tomcat 8.0.0.RC1 から 8.0.46

Apache Tomcat 8.5.0 から 8.5.22

Apache Tomcat 9.0.0.M1 から 9.0.0

日本電気

MailShooter

SimpWright

SpoolServer/Winspoolシリーズ

WebOTX

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-12617	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617
National Vulnerability Database (NVD)
2	CVE-2017-12617	https://nvd.nist.gov/vuln/detail/CVE-2017-12617

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-434	https://cwe.mitre.org/data/definitions/434.html

ベンダー情報

No	Name	URL
Apache Tomcat
1	Fixed in Apache Tomcat 7.0.82	http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
2	Fixed in Apache Tomcat 8.0.47	http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.47
3	Fixed in Apache Tomcat 8.5.23	http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.23
4	Fixed in Apache Tomcat 9.0.1	http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.1
NEC製品セキュリティ情報
5	NV17-023	http://jpn.nec.com/security-info/secinfo/nv17-023.html
Pony Mail
6	[SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload	https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb@%3Cannounce.tomcat.apache.org%3E

その他

No	Name	URL
JPCERT 注意喚起
1	Apache Tomcat における脆弱性に関する注意喚起	https://www.jpcert.or.jp/at/2017/at170038.html
JVN
2	JVNVU#99259676	http://jvn.jp/vu/JVNVU99259676/index.html

Change Log

No	Changed Details	Date of change
0	[2017年10月31日] 掲載 [2017年11月09日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：日本電気 (NV17-023) を追加 [2017年12月11日] 影響を受けるシステム：ベンダ情報 (NV17-023) の更新に伴い内容を更新	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2017-12617

Summary	When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Summary	Al ejecutar Apache Tomcat desde la versión 9.0.0.M1 hasta la 9.0.0, desde la 8.5.0 hasta la 8.5.22, desde la 8.0.0.RC1 hasta la 8.0.46 y desde la 7.0.0 hasta la 7.0.81 con los HTTP PUT habilitados (por ejemplo, configurando el parámetro de inicialización de solo lectura del servlet Default a "false"), es posible subir un archivo JSP al servidor mediante una petición especialmente manipulada. Este JSP se puede después solicitar y cualquier código que contenga se ejecutaría por el servidor.
Publication Date	Oct. 4, 2017, 10:29 a.m.
Registration Date	Jan. 26, 2021, 1:14 p.m.
Last Update	April 22, 2026, 2:03 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat::::::::	7.0.0			7.0.82
cpe:2.3:a:apache:tomcat::::::::	8.0			8.0.47
cpe:2.3:a:apache:tomcat::::::::	8.5.0			8.5.23
cpe:2.3:a:apache:tomcat::::::::	9.0.0			9.0.1
cpe:2.3:o:canonical:ubuntu_linux:12.04::::esm:::
cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::
cpe:2.3:o:canonical:ubuntu_linux:17.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:18.04::::esm:::
cpe:2.3:a:oracle:agile_plm:9.3.3:::::::*
cpe:2.3:a:oracle:agile_plm:9.3.4:::::::*
cpe:2.3:a:oracle:agile_plm:9.3.5:::::::*
cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1:::::::*
cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:::::::*
cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:::::::*
cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:12.1.0.4.0:::::::*
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::	7.3.3.0.0	7.3.5.3.0
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::	8.0.0.0.0	8.0.9.0.0
cpe:2.3:a:oracle:fmw_platform:12.2.1.2.0:::::::*
cpe:2.3:a:oracle:fmw_platform:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:health_sciences_empirica_inspections:1.0.1.1:::::::*
cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:::::::*
cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:::::::*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:::::::*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:::::::*
cpe:2.3:a:oracle:management_pack:11.2.1.0.13:::::goldengate::
cpe:2.3:a:oracle:micros_lucas:2.9.5:::::::*
cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.0.1:::::::*
cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.5.0:::::::*
cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.6.0:::::::*
cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.7.0:::::::*
cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.8.0:::::::*
cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.8.1:::::::*
cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::		3.3.6.3293
cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::	3.4.0	3.4.4.4226
cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::	4.0.0	4.0.0.5135
cpe:2.3:a:oracle:retail_advanced_inventory_planning:13.2:::::::*
cpe:2.3:a:oracle:retail_advanced_inventory_planning:13.4:::::::*
cpe:2.3:a:oracle:retail_advanced_inventory_planning:14.1:::::::*
cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:::::::*
cpe:2.3:a:oracle:retail_back_office:14.0.4:::::::*
cpe:2.3:a:oracle:retail_back_office:14.1.3:::::::*
cpe:2.3:a:oracle:retail_central_office:14.0.4:::::::*
cpe:2.3:a:oracle:retail_central_office:14.1.3:::::::*
cpe:2.3:a:oracle:retail_convenience_and_fuel_pos_software:2.1.132:::::::*
cpe:2.3:a:oracle:retail_eftlink:1.1.124:::::::*
cpe:2.3:a:oracle:retail_eftlink:15.0.1:::::::*
cpe:2.3:a:oracle:retail_eftlink:16.0.2:::::::*
cpe:2.3:a:oracle:retail_insights:14.0:::::::*
cpe:2.3:a:oracle:retail_insights:14.1:::::::*
cpe:2.3:a:oracle:retail_insights:15.0:::::::*
cpe:2.3:a:oracle:retail_insights:16.0:::::::*
cpe:2.3:a:oracle:retail_invoice_matching:12.0:::::::*
cpe:2.3:a:oracle:retail_invoice_matching:13.0:::::::*
cpe:2.3:a:oracle:retail_invoice_matching:13.1:::::::*
cpe:2.3:a:oracle:retail_invoice_matching:13.2:::::::*
cpe:2.3:a:oracle:retail_invoice_matching:14.0:::::::*
cpe:2.3:a:oracle:retail_invoice_matching:14.1:::::::*
cpe:2.3:a:oracle:retail_invoice_matching:15.0:::::::*
cpe:2.3:a:oracle:retail_invoice_matching:16.0:::::::*
cpe:2.3:a:oracle:retail_order_broker:5.0:::::::*
cpe:2.3:a:oracle:retail_order_broker:5.1:::::::*
cpe:2.3:a:oracle:retail_order_broker:5.2:::::::*
cpe:2.3:a:oracle:retail_order_broker:15.0:::::::*
cpe:2.3:a:oracle:retail_order_broker:16.0:::::::*
cpe:2.3:a:oracle:retail_order_management_system:4.0:::::::*
cpe:2.3:a:oracle:retail_order_management_system:4.5:::::::*
cpe:2.3:a:oracle:retail_order_management_system:4.7:::::::*
cpe:2.3:a:oracle:retail_order_management_system:5.0:::::::*
cpe:2.3:a:oracle:retail_point-of-service:14.0.4:::::::*
cpe:2.3:a:oracle:retail_point-of-service:14.1.3:::::::*
cpe:2.3:a:oracle:retail_price_management:12.0:::::::*
cpe:2.3:a:oracle:retail_price_management:13.0:::::::*
cpe:2.3:a:oracle:retail_price_management:13.1:::::::*
cpe:2.3:a:oracle:retail_price_management:13.2:::::::*
cpe:2.3:a:oracle:retail_price_management:14.0:::::::*
cpe:2.3:a:oracle:retail_price_management:14.1:::::::*
cpe:2.3:a:oracle:retail_price_management:15.0:::::::*
cpe:2.3:a:oracle:retail_price_management:16.0:::::::*
cpe:2.3:a:oracle:retail_returns_management:2.3.8:::::::*
cpe:2.3:a:oracle:retail_returns_management:2.4.9:::::::*
cpe:2.3:a:oracle:retail_returns_management:14.0.4:::::::*
cpe:2.3:a:oracle:retail_returns_management:14.1.3:::::::*
cpe:2.3:a:oracle:retail_store_inventory_management:12.0.12:::::::*
cpe:2.3:a:oracle:retail_store_inventory_management:13.0.7:::::::*
cpe:2.3:a:oracle:retail_store_inventory_management:13.1.9:::::::*
cpe:2.3:a:oracle:retail_store_inventory_management:13.2.9:::::::*
cpe:2.3:a:oracle:retail_store_inventory_management:14.0.4:::::::*
cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3:::::::*
cpe:2.3:a:oracle:retail_store_inventory_management:15.0.2:::::::*
cpe:2.3:a:oracle:retail_store_inventory_management:16.0.1:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:6.0.11:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.0.6:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1.6:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.1:::::::*
cpe:2.3:a:oracle:transportation_management:6.3.1:::::::*
cpe:2.3:a:oracle:transportation_management:6.3.2:::::::*
cpe:2.3:a:oracle:transportation_management:6.3.3:::::::*
cpe:2.3:a:oracle:transportation_management:6.3.4:::::::*
cpe:2.3:a:oracle:transportation_management:6.3.5:::::::*
cpe:2.3:a:oracle:transportation_management:6.3.6:::::::*
cpe:2.3:a:oracle:transportation_management:6.3.7:::::::*
cpe:2.3:a:oracle:tuxedo_system_and_applications_monitor:12.1.3.0.0:::::::*
cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:::::::*
cpe:2.3:a:oracle:workload_manager:12.2.0.1:::::::*
cpe:2.3:o:debian:debian_linux:7.0:::::::*
cpe:2.3:a:netapp:active_iq_unified_manager::::::windows::*	7.3
cpe:2.3:a:netapp:active_iq_unified_manager::::::vmware_vsphere::*	9.5
cpe:2.3:a:netapp:oncommand_balance:-:::::::*
cpe:2.3:a:netapp:oncommand_insight:-:::::::*
cpe:2.3:a:netapp:oncommand_shift:-:::::::*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
cpe:2.3:a:netapp:snapcenter:-:::::::*
cpe:2.3:o:netapp:element:-:::::vcenter_server::
cpe:2.3:a:redhat:fuse:1.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_web_server_text-only_advisories:-:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.5:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.5:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:6.0_s390x:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0_s390x:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.4_s390x:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.5_s390x:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.6_s390x:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.7_s390x:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:6.0_ppc64:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0_ppc64:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.4_ppc64:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.5_ppc64:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.6_ppc64:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.7_ppc64:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.4_ppc64le:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.5_ppc64le:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.6_ppc64le:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.7_ppc64le:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*

Related information, measures and tools

No	URL	refsource
1	http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	security@apache.org
2	http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html	security@apache.org
3	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	security@apache.org
4	http://www.securityfocus.com/bid/100954	security@apache.org
5	http://www.securitytracker.com/id/1039552	security@apache.org
6	https://access.redhat.com/errata/RHSA-2017:3080	security@apache.org
7	https://access.redhat.com/errata/RHSA-2017:3081	security@apache.org
8	https://access.redhat.com/errata/RHSA-2017:3113	security@apache.org
9	https://access.redhat.com/errata/RHSA-2017:3114	security@apache.org
10	https://access.redhat.com/errata/RHSA-2018:0268	security@apache.org
11	https://access.redhat.com/errata/RHSA-2018:0269	security@apache.org
12	https://access.redhat.com/errata/RHSA-2018:0270	security@apache.org
13	https://access.redhat.com/errata/RHSA-2018:0271	security@apache.org
14	https://access.redhat.com/errata/RHSA-2018:0275	security@apache.org
15	https://access.redhat.com/errata/RHSA-2018:0465	security@apache.org
16	https://access.redhat.com/errata/RHSA-2018:0466	security@apache.org
17	https://access.redhat.com/errata/RHSA-2018:2939	security@apache.org
18	https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E	security@apache.org
19	https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E	security@apache.org
20	https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E	security@apache.org
21	https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E	security@apache.org
22	https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb%40%3Cannounce.tomcat.apache.org%3E	security@apache.org
23	https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E	security@apache.org
24	https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E	security@apache.org
25	https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E	security@apache.org
26	https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E	security@apache.org
27	https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E	security@apache.org
28	https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E	security@apache.org
29	https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E	security@apache.org
30	https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E	security@apache.org
31	https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E	security@apache.org
32	https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E	security@apache.org
33	https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E	security@apache.org
34	https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E	security@apache.org
35	https://lists.debian.org/debian-lts-announce/2017/11/msg00009.html	security@apache.org
36	https://security.netapp.com/advisory/ntap-20171018-0002/	security@apache.org
37	https://security.netapp.com/advisory/ntap-20180117-0002/	security@apache.org
38	https://support.f5.com/csp/article/K53173544	security@apache.org
39	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03812en_us	security@apache.org
40	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us	security@apache.org
41	https://usn.ubuntu.com/3665-1/	security@apache.org
42	https://www.exploit-db.com/exploits/42966/	security@apache.org
43	https://www.exploit-db.com/exploits/43008/	security@apache.org
44	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	security@apache.org
45	http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html	af854a3a-2127-422b-91ae-364da2661108
46	http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html	af854a3a-2127-422b-91ae-364da2661108
47	http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html	af854a3a-2127-422b-91ae-364da2661108
48	http://www.securityfocus.com/bid/100954	af854a3a-2127-422b-91ae-364da2661108
49	http://www.securitytracker.com/id/1039552	af854a3a-2127-422b-91ae-364da2661108
50	https://access.redhat.com/errata/RHSA-2017:3080	af854a3a-2127-422b-91ae-364da2661108
51	https://access.redhat.com/errata/RHSA-2017:3081	af854a3a-2127-422b-91ae-364da2661108
52	https://access.redhat.com/errata/RHSA-2017:3113	af854a3a-2127-422b-91ae-364da2661108
53	https://access.redhat.com/errata/RHSA-2017:3114	af854a3a-2127-422b-91ae-364da2661108
54	https://access.redhat.com/errata/RHSA-2018:0268	af854a3a-2127-422b-91ae-364da2661108
55	https://access.redhat.com/errata/RHSA-2018:0269	af854a3a-2127-422b-91ae-364da2661108
56	https://access.redhat.com/errata/RHSA-2018:0270	af854a3a-2127-422b-91ae-364da2661108
57	https://access.redhat.com/errata/RHSA-2018:0271	af854a3a-2127-422b-91ae-364da2661108
58	https://access.redhat.com/errata/RHSA-2018:0275	af854a3a-2127-422b-91ae-364da2661108
59	https://access.redhat.com/errata/RHSA-2018:0465	af854a3a-2127-422b-91ae-364da2661108
60	https://access.redhat.com/errata/RHSA-2018:0466	af854a3a-2127-422b-91ae-364da2661108
61	https://access.redhat.com/errata/RHSA-2018:2939	af854a3a-2127-422b-91ae-364da2661108
62	https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
63	https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
64	https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
65	https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
66	https://lists.apache.org/thread.html/3fd341a604c4e9eab39e7eaabbbac39c30101a022acc11dd09d7ebcb%40%3Cannounce.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
67	https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
68	https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
69	https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
70	https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
71	https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
72	https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
73	https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
74	https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
75	https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
76	https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
77	https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
78	https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
79	https://lists.debian.org/debian-lts-announce/2017/11/msg00009.html	af854a3a-2127-422b-91ae-364da2661108
80	https://security.netapp.com/advisory/ntap-20171018-0002/	af854a3a-2127-422b-91ae-364da2661108
81	https://security.netapp.com/advisory/ntap-20180117-0002/	af854a3a-2127-422b-91ae-364da2661108
82	https://support.f5.com/csp/article/K53173544	af854a3a-2127-422b-91ae-364da2661108
83	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03812en_us	af854a3a-2127-422b-91ae-364da2661108
84	https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us	af854a3a-2127-422b-91ae-364da2661108
85	https://usn.ubuntu.com/3665-1/	af854a3a-2127-422b-91ae-364da2661108
86	https://www.exploit-db.com/exploits/42966/	af854a3a-2127-422b-91ae-364da2661108
87	https://www.exploit-db.com/exploits/43008/	af854a3a-2127-422b-91ae-364da2661108
88	https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	af854a3a-2127-422b-91ae-364da2661108
89	https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-12617	134c704f-9b21-4f2e-91b3-4a467353bcc0

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-434	危険なタイプのファイルの無制限アップロード	https://cwe.mitre.org/data/definitions/434.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat::::::::	7.0.0			7.0.82
cpe:2.3:a:apache:tomcat::::::::	8.0			8.0.47
cpe:2.3:a:apache:tomcat::::::::	8.5.0			8.5.23
cpe:2.3:a:apache:tomcat::::::::	9.0.0			9.0.1
cpe:2.3:o:canonical:ubuntu_linux:12.04::::esm:::
cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::
cpe:2.3:o:canonical:ubuntu_linux:17.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:18.04::::esm:::
cpe:2.3:a:oracle:agile_plm:9.3.3:::::::*
cpe:2.3:a:oracle:agile_plm:9.3.4:::::::*
cpe:2.3:a:oracle:agile_plm:9.3.5:::::::*
cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1:::::::*
cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:::::::*
cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:::::::*
cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:12.1.0.4.0:::::::*
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::	7.3.3.0.0	7.3.5.3.0
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure::::::::	8.0.0.0.0	8.0.9.0.0
cpe:2.3:a:oracle:fmw_platform:12.2.1.2.0:::::::*
cpe:2.3:a:oracle:fmw_platform:12.2.1.3.0:::::::*
cpe:2.3:a:oracle:health_sciences_empirica_inspections:1.0.1.1:::::::*
cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:::::::*
cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:::::::*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:::::::*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:::::::*
cpe:2.3:a:oracle:management_pack:11.2.1.0.13:::::goldengate::
cpe:2.3:a:oracle:micros_lucas:2.9.5:::::::*
cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.0.1:::::::*
cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.5.0:::::::*
cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.6.0:::::::*
cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.7.0:::::::*
cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.8.0:::::::*
cpe:2.3:a:oracle:micros_retail_xbri_loss_prevention:10.8.1:::::::*
cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::		3.3.6.3293
cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::	3.4.0	3.4.4.4226
cpe:2.3:a:oracle:mysql_enterprise_monitor::::::::	4.0.0	4.0.0.5135
cpe:2.3:a:oracle:retail_advanced_inventory_planning:13.2:::::::*
cpe:2.3:a:oracle:retail_advanced_inventory_planning:13.4:::::::*
cpe:2.3:a:oracle:retail_advanced_inventory_planning:14.1:::::::*
cpe:2.3:a:oracle:retail_advanced_inventory_planning:15.0:::::::*
cpe:2.3:a:oracle:retail_back_office:14.0.4:::::::*
cpe:2.3:a:oracle:retail_back_office:14.1.3:::::::*
cpe:2.3:a:oracle:retail_central_office:14.0.4:::::::*
cpe:2.3:a:oracle:retail_central_office:14.1.3:::::::*
cpe:2.3:a:oracle:retail_convenience_and_fuel_pos_software:2.1.132:::::::*
cpe:2.3:a:oracle:retail_eftlink:1.1.124:::::::*
cpe:2.3:a:oracle:retail_eftlink:15.0.1:::::::*
cpe:2.3:a:oracle:retail_eftlink:16.0.2:::::::*
cpe:2.3:a:oracle:retail_insights:14.0:::::::*
cpe:2.3:a:oracle:retail_insights:14.1:::::::*
cpe:2.3:a:oracle:retail_insights:15.0:::::::*
cpe:2.3:a:oracle:retail_insights:16.0:::::::*
cpe:2.3:a:oracle:retail_invoice_matching:12.0:::::::*
cpe:2.3:a:oracle:retail_invoice_matching:13.0:::::::*
cpe:2.3:a:oracle:retail_invoice_matching:13.1:::::::*
cpe:2.3:a:oracle:retail_invoice_matching:13.2:::::::*
cpe:2.3:a:oracle:retail_invoice_matching:14.0:::::::*
cpe:2.3:a:oracle:retail_invoice_matching:14.1:::::::*
cpe:2.3:a:oracle:retail_invoice_matching:15.0:::::::*
cpe:2.3:a:oracle:retail_invoice_matching:16.0:::::::*
cpe:2.3:a:oracle:retail_order_broker:5.0:::::::*
cpe:2.3:a:oracle:retail_order_broker:5.1:::::::*
cpe:2.3:a:oracle:retail_order_broker:5.2:::::::*
cpe:2.3:a:oracle:retail_order_broker:15.0:::::::*
cpe:2.3:a:oracle:retail_order_broker:16.0:::::::*
cpe:2.3:a:oracle:retail_order_management_system:4.0:::::::*
cpe:2.3:a:oracle:retail_order_management_system:4.5:::::::*
cpe:2.3:a:oracle:retail_order_management_system:4.7:::::::*
cpe:2.3:a:oracle:retail_order_management_system:5.0:::::::*
cpe:2.3:a:oracle:retail_point-of-service:14.0.4:::::::*
cpe:2.3:a:oracle:retail_point-of-service:14.1.3:::::::*
cpe:2.3:a:oracle:retail_price_management:12.0:::::::*
cpe:2.3:a:oracle:retail_price_management:13.0:::::::*
cpe:2.3:a:oracle:retail_price_management:13.1:::::::*
cpe:2.3:a:oracle:retail_price_management:13.2:::::::*
cpe:2.3:a:oracle:retail_price_management:14.0:::::::*
cpe:2.3:a:oracle:retail_price_management:14.1:::::::*
cpe:2.3:a:oracle:retail_price_management:15.0:::::::*
cpe:2.3:a:oracle:retail_price_management:16.0:::::::*
cpe:2.3:a:oracle:retail_returns_management:2.3.8:::::::*
cpe:2.3:a:oracle:retail_returns_management:2.4.9:::::::*
cpe:2.3:a:oracle:retail_returns_management:14.0.4:::::::*
cpe:2.3:a:oracle:retail_returns_management:14.1.3:::::::*
cpe:2.3:a:oracle:retail_store_inventory_management:12.0.12:::::::*
cpe:2.3:a:oracle:retail_store_inventory_management:13.0.7:::::::*
cpe:2.3:a:oracle:retail_store_inventory_management:13.1.9:::::::*
cpe:2.3:a:oracle:retail_store_inventory_management:13.2.9:::::::*
cpe:2.3:a:oracle:retail_store_inventory_management:14.0.4:::::::*
cpe:2.3:a:oracle:retail_store_inventory_management:14.1.3:::::::*
cpe:2.3:a:oracle:retail_store_inventory_management:15.0.2:::::::*
cpe:2.3:a:oracle:retail_store_inventory_management:16.0.1:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:6.0.11:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.0.6:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1.6:::::::*
cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0.1:::::::*
cpe:2.3:a:oracle:transportation_management:6.3.1:::::::*
cpe:2.3:a:oracle:transportation_management:6.3.2:::::::*
cpe:2.3:a:oracle:transportation_management:6.3.3:::::::*
cpe:2.3:a:oracle:transportation_management:6.3.4:::::::*
cpe:2.3:a:oracle:transportation_management:6.3.5:::::::*
cpe:2.3:a:oracle:transportation_management:6.3.6:::::::*
cpe:2.3:a:oracle:transportation_management:6.3.7:::::::*
cpe:2.3:a:oracle:tuxedo_system_and_applications_monitor:12.1.3.0.0:::::::*
cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:::::::*
cpe:2.3:a:oracle:workload_manager:12.2.0.1:::::::*
cpe:2.3:o:debian:debian_linux:7.0:::::::*
cpe:2.3:a:netapp:active_iq_unified_manager::::::windows::*	7.3
cpe:2.3:a:netapp:active_iq_unified_manager::::::vmware_vsphere::*	9.5
cpe:2.3:a:netapp:oncommand_balance:-:::::::*
cpe:2.3:a:netapp:oncommand_insight:-:::::::*
cpe:2.3:a:netapp:oncommand_shift:-:::::::*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
cpe:2.3:a:netapp:snapcenter:-:::::::*
cpe:2.3:o:netapp:element:-:::::vcenter_server::
cpe:2.3:a:redhat:fuse:1.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:::::::*
cpe:2.3:a:redhat:jboss_enterprise_web_server_text-only_advisories:-:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.5:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus:7.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.5:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_eus_compute_node:7.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:6.0_s390x:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0_s390x:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.4_s390x:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.5_s390x:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.6_s390x:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:7.7_s390x:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:6.0_ppc64:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0_ppc64:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.4_ppc64:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.5_ppc64:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.6_ppc64:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:7.7_ppc64:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.4_ppc64le:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.5_ppc64le:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.6_ppc64le:::::::*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:7.7_ppc64le:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:::::::*