tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jochen Wiedmann <jochen.wiedm...@gmail.com>
Subject Re: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability
Date Tue, 21 Jun 2016 11:18:05 GMT
Thanks for forwarding. I hope, that everything is alright with the announcement?


On Tue, Jun 21, 2016 at 11:53 AM, Mark Thomas <markt@apache.org> wrote:
>
> -------- Original Message --------
> From: Jochen Wiedmann <jochen.wiedmann@gmail.com>
> Sent: 21 June 2016 10:18:15 BST
> To: private@commons.apache.org, "security@apache.org" <security@apache.org>, Tomcat
Security List <security@tomcat.apache.org>, announce@apache.org, Apache Commons Developers
List <dev@commons.apache.org>
> Subject: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability
>
> CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability
>
> Severity: Moderate
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Apache Commons Fileupload 1.3 to 1.3.1
> Apache Commons Fileupload 1.2 to 1.2.2
> The unsupported Apache Commons Fileupload 1.0.x, and 1.1.x may also be affected.
> Apache Tomcat 9.x to 9.0.0M6
> Apache Tomcat 8.x to 8.0.35
> Apache Tomcat 7.x to 7.0.69
> Apache Tomcat 6.x
> Unsupported versions of Apache Tomcat, like 5.x may also be affected.
> Apache Struts 2.5.x, and previous versions, which are distributing
> Commons FileUpload 1.3.1, or earlier versions.
>
> Description:
> A malicious client can send file upload requests that cause the HTTP server
> using the Apache Commons Fileupload library to become unresponsive, preventing
> the server from servicing other requests.
>
> This flaw is not exploitable beyond causing the code to loop expending
> CPU resources.
>
>
> Mitigation:
> All users of Apache Commons Fileupload should upgrade to 1.3.2.
> All users of Apache Tomcat should upgrade to 9.0.0M8, 8.0.36, or
> 7.0.70, respectively.
> All users of Apache Struts should replace the copy of Commons
> FileUpload (which is distributed as part of Struts) with the fixed
> version 1.3.2.
>
> Workaround:
>
> System administrators should restrict the permitted maximum size of HTTP request
> header values (For example, Apache Httpd provides a
> LimitRequestFieldSize directive,
> and Apache Tomcat provides a maxHttpHeaderSize attribute in their respective
> configuration files). A maximum header value size of 2048 bytes would block all
> dangerous request.
>
> Example:
> File upload requests contain a so-called boundary in the Content-Type header:
>
>     Content-Type: multipart/mixed;
>           boundary=gc0p4Jq0M2Yt08jU534c0p
>
> The boundary may be chosen by the request sender. In the case of
> previous versions
> of Apache Commons Fileupload the boundary becomes dangerous, if its
> size is close
> to 4096 bytes.
>
> Credit:
> TERASOLUNA Framework Development Team at the Software Engineering,
> Research and Development Headquarter, for detecting this flaw, and reporting
> it to the JPCERT/CC,
> Taki Uchiyama (JPCERT/CC Vulnerability Handling Team) reported this
> problem to us.
>
> References:
> https://commons.apache.org/proper/commons-fileupload/security.html
>
> --
> The next time you hear: "Don't reinvent the wheel!"
>
> http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
> For additional commands, e-mail: dev-help@commons.apache.org
>
>
> Note: Apache Tomcat 6.x and earlier are NOT affected.
>
>



-- 
The next time you hear: "Don't reinvent the wheel!"

http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message