tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chinoy Gupta <cgu...@adobe.com>
Subject RE: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability
Date Wed, 22 Jun 2016 04:51:54 GMT
What about 8.5.x branch? Is that also affected. And I am not able to see this update on Tomcat
security page. Any reasons for that?

Regards,
Chinoy

-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org] 
Sent: Tuesday, June 21, 2016 3:23 PM
To: users@tomcat.apache.org; dev@tomcat.apache.org; announce@tomcat.apache.org; announce@apache.org;
security@tomcat.apache.org
Subject: Fwd: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability


-------- Original Message --------
From: Jochen Wiedmann <jochen.wiedmann@gmail.com>
Sent: 21 June 2016 10:18:15 BST
To: private@commons.apache.org, "security@apache.org" <security@apache.org>, Tomcat
Security List <security@tomcat.apache.org>, announce@apache.org, Apache Commons Developers
List <dev@commons.apache.org>
Subject: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability

CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability

Severity: Moderate

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Commons Fileupload 1.3 to 1.3.1
Apache Commons Fileupload 1.2 to 1.2.2
The unsupported Apache Commons Fileupload 1.0.x, and 1.1.x may also be affected.
Apache Tomcat 9.x to 9.0.0M6
Apache Tomcat 8.x to 8.0.35
Apache Tomcat 7.x to 7.0.69
Apache Tomcat 6.x
Unsupported versions of Apache Tomcat, like 5.x may also be affected.
Apache Struts 2.5.x, and previous versions, which are distributing Commons FileUpload 1.3.1,
or earlier versions.

Description:
A malicious client can send file upload requests that cause the HTTP server using the Apache
Commons Fileupload library to become unresponsive, preventing the server from servicing other
requests.

This flaw is not exploitable beyond causing the code to loop expending CPU resources.


Mitigation:
All users of Apache Commons Fileupload should upgrade to 1.3.2.
All users of Apache Tomcat should upgrade to 9.0.0M8, 8.0.36, or 7.0.70, respectively.
All users of Apache Struts should replace the copy of Commons FileUpload (which is distributed
as part of Struts) with the fixed version 1.3.2.

Workaround:

System administrators should restrict the permitted maximum size of HTTP request header values
(For example, Apache Httpd provides a LimitRequestFieldSize directive, and Apache Tomcat provides
a maxHttpHeaderSize attribute in their respective configuration files). A maximum header value
size of 2048 bytes would block all dangerous request.

Example:
File upload requests contain a so-called boundary in the Content-Type header:

    Content-Type: multipart/mixed;
          boundary=gc0p4Jq0M2Yt08jU534c0p

The boundary may be chosen by the request sender. In the case of previous versions of Apache
Commons Fileupload the boundary becomes dangerous, if its size is close to 4096 bytes.

Credit:
TERASOLUNA Framework Development Team at the Software Engineering, Research and Development
Headquarter, for detecting this flaw, and reporting it to the JPCERT/CC, Taki Uchiyama (JPCERT/CC
Vulnerability Handling Team) reported this problem to us.

References:
https://commons.apache.org/proper/commons-fileupload/security.html

--
The next time you hear: "Don't reinvent the wheel!"

http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Note: Apache Tomcat 6.x and earlier are NOT affected.



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail:
dev-help@tomcat.apache.org

Mime
View raw message