Return-Path: <dev-return-174856-archive-asf-public=cust-asf.ponee.io@tomcat.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 426B9200B17
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Tue, 21 Jun 2016 11:53:21 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 40F55160A4F; Tue, 21 Jun 2016 09:53:21 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 892F6160A36
	for <archive-asf-public@cust-asf.ponee.io>; Tue, 21 Jun 2016 11:53:20 +0200 (CEST)
Received: (qmail 53033 invoked by uid 500); 21 Jun 2016 09:53:19 -0000
Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@tomcat.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@tomcat.apache.org>
List-Post: <mailto:dev@tomcat.apache.org>
List-Id: <dev.tomcat.apache.org>
Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
Delivered-To: mailing list dev@tomcat.apache.org
Received: (qmail 52997 invoked by uid 99); 21 Jun 2016 09:53:19 -0000
Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 21 Jun 2016 09:53:19 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id 1BCAB1A05C7;
	Tue, 21 Jun 2016 09:53:19 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 0.98
X-Spam-Level: 
X-Spam-Status: No, score=0.98 tagged_above=-999 required=6.31
	tests=[KAM_LAZY_DOMAIN_SECURITY=1, RCVD_IN_DNSWL_NONE=-0.0001,
	RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=disabled
Received: from mx2-lw-eu.apache.org ([10.40.0.8])
	by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024)
	with ESMTP id vwzNfVSdzDaF; Tue, 21 Jun 2016 09:53:17 +0000 (UTC)
Received: from rgout0102.bt.lon5.cpcloud.co.uk (rgout0102.bt.lon5.cpcloud.co.uk [65.20.0.122])
	by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with ESMTP id 1591E5F260;
	Tue, 21 Jun 2016 09:53:16 +0000 (UTC)
X-OWM-Source-IP: 86.152.79.120 (GB)
X-OWM-Env-Sender: medthomas@btinternet.com
X-CTCH-RefID: str=0001.0A090205.57690E79.0078,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
X-CTCH-Spam: Unknown
X-RazorGate-Suspect: true
Received: from mail.homeinbox.net (86.152.79.120) by rgout01.bt.lon5.cpcloud.co.uk (8.6.122.06) (authenticated as medthomas@btinternet.com)
        id 5758021C01902C79; Tue, 21 Jun 2016 10:52:55 +0100
Received: from localhost (localhost [127.0.0.1])
	by mail.homeinbox.net (Postfix) with ESMTP id 4890EB403F9;
	Tue, 21 Jun 2016 10:52:48 +0100 (BST)
X-Virus-Scanned: Debian amavisd-new at homeinbox.net
Received: from mail.homeinbox.net ([127.0.0.1])
	by localhost (mail.homeinbox.net [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Lw6feW2SJK1F; Tue, 21 Jun 2016 10:52:47 +0100 (BST)
Received: from [100.74.190.129] (unknown [213.205.194.193])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.homeinbox.net (Postfix) with ESMTPSA id 6152CB40318;
	Tue, 21 Jun 2016 10:52:47 +0100 (BST)
User-Agent: K-9 Mail for Android
In-Reply-To: <CAF8HOZ+Pq2QH8RnxBuJyoK1dOz6jrTiQypAC+H8g6oZkBg+Cxg@mail.gmail.com>
References: <CAF8HOZ+Pq2QH8RnxBuJyoK1dOz6jrTiQypAC+H8g6oZkBg+Cxg@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain;
 charset=UTF-8
Subject: Fwd: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability
From: Mark Thomas <markt@apache.org>
Date: Tue, 21 Jun 2016 10:53:01 +0100
To: users@tomcat.apache.org,dev@tomcat.apache.org,announce@tomcat.apache.org,announce@apache.org,security@tomcat.apache.org
Message-ID: <45A20804-ABFF-4FED-A297-69AC95AB9A3F@apache.org>
archived-at: Tue, 21 Jun 2016 09:53:21 -0000


-------- Original Message --------
From: Jochen Wiedmann <jochen.wiedmann@gmail.com>
Sent: 21 June 2016 10:18:15 BST
To: private@commons.apache.org, "security@apache.org" <security@apache.org>, Tomcat Security List <security@tomcat.apache.org>, announce@apache.org, Apache Commons Developers List <dev@commons.apache.org>
Subject: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability

CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability

Severity: Moderate

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Commons Fileupload 1.3 to 1.3.1
Apache Commons Fileupload 1.2 to 1.2.2
The unsupported Apache Commons Fileupload 1.0.x, and 1.1.x may also be affected.
Apache Tomcat 9.x to 9.0.0M6
Apache Tomcat 8.x to 8.0.35
Apache Tomcat 7.x to 7.0.69
Apache Tomcat 6.x
Unsupported versions of Apache Tomcat, like 5.x may also be affected.
Apache Struts 2.5.x, and previous versions, which are distributing
Commons FileUpload 1.3.1, or earlier versions.

Description:
A malicious client can send file upload requests that cause the HTTP server
using the Apache Commons Fileupload library to become unresponsive, preventing
the server from servicing other requests.

This flaw is not exploitable beyond causing the code to loop expending
CPU resources.


Mitigation:
All users of Apache Commons Fileupload should upgrade to 1.3.2.
All users of Apache Tomcat should upgrade to 9.0.0M8, 8.0.36, or
7.0.70, respectively.
All users of Apache Struts should replace the copy of Commons
FileUpload (which is distributed as part of Struts) with the fixed
version 1.3.2.

Workaround:

System administrators should restrict the permitted maximum size of HTTP request
header values (For example, Apache Httpd provides a
LimitRequestFieldSize directive,
and Apache Tomcat provides a maxHttpHeaderSize attribute in their respective
configuration files). A maximum header value size of 2048 bytes would block all
dangerous request.

Example:
File upload requests contain a so-called boundary in the Content-Type header:

    Content-Type: multipart/mixed;
          boundary=gc0p4Jq0M2Yt08jU534c0p

The boundary may be chosen by the request sender. In the case of
previous versions
of Apache Commons Fileupload the boundary becomes dangerous, if its
size is close
to 4096 bytes.

Credit:
TERASOLUNA Framework Development Team at the Software Engineering,
Research and Development Headquarter, for detecting this flaw, and reporting
it to the JPCERT/CC,
Taki Uchiyama (JPCERT/CC Vulnerability Handling Team) reported this
problem to us.

References:
https://commons.apache.org/proper/commons-fileupload/security.html

-- 
The next time you hear: "Don't reinvent the wheel!"

http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@commons.apache.org
For additional commands, e-mail: dev-help@commons.apache.org


Note: Apache Tomcat 6.x and earlier are NOT affected.



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org