[TOBAGO-1364] CVE-2014-0050 Apache Commons FileUpload DoS - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.0.40, 2.0.0-alpha-3, 1.5.12
Fix Version/s: 1.0.41, 1.5.13, 2.0.0-beta-1, 2.0.0
Component/s: Core
Labels:
None

Description

Specially crafted input can trigger a DoS if the buffer used by the MultipartStream is not big enough. The commons-fileupload dependency must be updated to 1.3.1 to fix this.

-------- Original-Nachricht --------
Betreff: [SECURITY] CVE-2014-0050 Apache Commons FileUpload and
Apache Tomcat DoS
Datum: Thu, 06 Feb 2014 11:37:32 +0000
Von: Mark Thomas <markt@apache.org>
An: Commons Users List <user@commons.apache.org>, Tomcat Users List
<users@tomcat.apache.org>
Kopie (CC): Commons Developers List <dev@commons.apache.org>, Tomcat
Developers List <dev@tomcat.apache.org>,
full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com,
announce@apache.org, announce@tomcat.apache.org

CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

- Commons FileUpload 1.0 to 1.3
- Apache Tomcat 8.0.0-RC1 to 8.0.1
- Apache Tomcat 7.0.0 to 7.0.50
- Apache Tomcat 6 and earlier are not affected

Apache Tomcat 7 and Apache Tomcat 8 use a packaged renamed copy of
Apache Commons FileUpload to implement the requirement of the Servlet
3.0 and later specifications to support the processing of
mime-multipart requests. Tomcat 7 and 8 are therefore affected by this
issue. While Tomcat 6 uses Commons FileUpload as part of the Manager
application, access to that functionality is limited to authenticated
administrators.

Description:
It is possible to craft a malformed Content-Type header for a
multipart request that causes Apache Commons FileUpload to enter an
infinite loop. A malicious user could, therefore, craft a malformed
request that triggered a denial of service.
This issue was reported responsibly to the Apache Software Foundation
via JPCERT but an error in addressing an e-mail led to the unintended
early disclosure of this issue[1].

Mitigation:
Users of affected versions should apply one of the following mitigations

- Upgrade to Apache Commons FileUpload 1.3.1 or later once released
- Upgrade to Apache Tomcat 8.0.2 or later once released
- Upgrade to Apache Tomcat 7.0.51 or later once released
- Apply the appropriate patch
Commons FileUpload: http://svn.apache.org/r1565143
Tomcat 8: http://svn.apache.org/r1565163
Tomcat 7: http://svn.apache.org/r1565169
- Limit the size of the Content-Type header to less than 4091 bytes

Credit:
This issue was reported to the Apache Software Foundation via JPCERT.

References:
[1] http://markmail.org/message/kpfl7ax4el2owb3o
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

TOBAGO-1364.patch
10/Feb/14 08:29
0.5 kB
Dennis Kieselhorst

Activity

People

Assignee:: Udo Schnurpfeil

Reporter:: Dennis Kieselhorst

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 10/Feb/14 08:26

Updated:: 27/May/14 19:04

Resolved:: 10/Feb/14 18:24