The description of the search algorithm used by the CGI Servlet to identify which script to execute was incorrect. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that it is only the documentation that was incorrect, the behaviour of the CGI servlet remains unchanged. Versions Affected: Apache Tomcat 9.0.0.M22 to 9.0.1 Apache Tomcat 8.5.16 to 8.5.23 Apache Tomcat 8.0.45 to 8.0.47 Apache Tomcat 7.0.79 to 7.0.82 Upstream Advisory: http://tomcat.10.x6.nabble.com/SECURITY-CVE-2017-15706-Apache-Tomcat-Incorrectly-documented-CGI-search-algorithm-td5071565.html
Upstream indicates that the problematic documentation was introduced as part of the fix for the following upstream bug report: https://bz.apache.org/bugzilla/show_bug.cgi?id=61201 Matching commit is: http://svn.apache.org/viewvc?view=revision&revision=1799368 Upstream commits correcting the documentation (for various supported branches): http://svn.apache.org/viewvc?view=rev&rev=1814825 9.x http://svn.apache.org/viewvc?view=rev&rev=1814827 8.x http://svn.apache.org/viewvc?view=rev&rev=1814828 7.x As the relevant part of the documentation was only recently introduced upstream, it is not yet included in the Tomcat packages as shipped in Red Hat Enterprise Linux.
External References: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.2 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.48 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.84
Created tomcat tracking bugs for this issue: Affects: epel-6 [bug 1541082] Affects: fedora-all [bug 1541081]