JVNDB-2014-000017

Apache Commons FileUpload vulnerable to denial-of-service (DoS)

Apache Commons FileUpload contains a denial-of-service (DoS) vulnerability.

Apache Commons FileUpload provided by Apache Software Foundation contains an issue in processing a multi-part request, which may cause the process to be in an infinite loop.

As of 2014 February 12, an exploit tool to attack against this vulnerability has been confirmed.

Hitachi Incident Response Team (HIRT) reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Apache Software Foundation

• Apache Tomcat 8.0.0-RC1 to 8.0.1
• Apache Tomcat 7.0.0 to 7.0.50
• Commons FileUpload 1.0 to 1.3

Products that use Apache Commons FileUpload, are affected by this vulnerability.

According to the developer, Apache Tomcat 6 and earlier are not affected.

The developer also states that Apache Commons FileUpload is widely used for multiple Apache products, therefore, multiple Apache products other than Apache Tomcat may be affected by this vulnerability.
According to the developer, the following products may be affected.
* Jenkins
* JSPWiki
* JXP
* Lucene-Solr
* onemind-commons
* Spring
* Stapler
* Struts 1, 2
* WSDL2c

Processing a malformed request may cause the condition that the target system does not respond.

[Update the Software]
Update to the latest version that contains a fix fot this vulnerability:

* Apache Commons FileUpload 1.3.1
http://commons.apache.org/proper/commons-fileupload/download_fileupload.cgi

* Apache Tomcat 8.0.3
http://www.apache.org/dist/tomcat/tomcat-8/v8.0.3/

* Apache Tomcat 7.0.52
http://www.apache.org/dist/tomcat/tomcat-7/v7.0.52/

* Apache Struts 2.3.16.1
http://struts.apache.org/download.cgi#struts23161

[Apply the Patch]
In the developer's repository, the respective source code that contains a fix for this vulnerability has been released.

* Apache Commons FileUpload: http://svn.apache.org/r1565143
* Apache Tomcat 8: http://svn.apache.org/r1565163
* Apache Tomcat 7: http://svn.apache.org/r1565169

[Workaround]
Applying the following workaround may mitigate the effect of this vulnerability.

* Limit the Content-Type header size less than 4091 bytes

For more information, please refer to the developer's site.

Apache Software Foundation

• Apache Commons : Download Apache Commons FileUpload -- Apache Commons FileUpload 1.3.1
• Apache Software Foundation : www-announce mailing list archives -- CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS
• Apache Struts : Struts 2.3.16.1
• Apache Struts Announcements : 21 February 2014 - Immediately upgrade commons-fileupload to version 1.3.1
• Apache Struts Announcements : 21 February 2014 - Immediately upgrade commons-fileupload to version 1.3.1
• Apache Tomcat : Fixed in Apache Tomcat 8.0.2
• Apache Tomcat : Fixed in Apache Tomcat 7.0.51
• Apache Tomcat : Apache Tomcat 8.0.3
• Apache Tomcat : Apache Tomcat 7.0.52
• Apache-SVN : Apache Commons FileUpload 1.3.1 RELEASE NOTES
• Apache-SVN : Revision 1565143

Huawei

• Security Advisory : Huawei-SA-20140707-01-Struts2

IBM Corporation

• IBM Support Document : 1677724
• IBM Support Document : 1676853
• IBM Support Document : 1676656
• IBM Support Document : 1676410
• IBM Support Document : 1676405
• IBM Support Document : 1676403
• IBM Support Document : 1676401
• IBM Support Document : 1675432
• IBM Support Document : 1677691
• IBM Support Document : 1681214
• IBM Support Document : 1676091
• IBM Support Document : 1676092
• IBM Support Document : 1669554

VMware

• VMware Security Advisories : VMSA-2014-0007

Oracle Corporation

• Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - July 2014
• Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices
• Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - January 2015
• Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices
• Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - October 2014
• Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - April 2015
• Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - April 2015 Risk Matrices
• Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - October 2015
• Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - October 2015 Risk Matrices
• Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - October 2014 Risk Matrices
• Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - January 2016
• Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - January 2016 Risk Matrices
• Oracle Critical Patch Update : Oracle Critical Patch Update Advisory - October 2016
• Oracle Critical Patch Update : Text Form of Oracle Critical Patch Update - October 2016 Risk Matrices
• SECURITY BLOG : January 2015 Critical Patch Update Released
• SECURITY BLOG : April 2015 Critical Patch Update Released
• SECURITY BLOG : October 2015 Critical Patch Update Released
• SECURITY BLOG : October 2014 Critical Patch Update Released
• SECURITY BLOG : January 2016 Critical Patch Update Released
• SECURITY BLOG : October 2016 Critical Patch Update Released

Red Hat, Inc.

• Red Hat Bugzilla : Bug 1062337
• Red Hat Security Advisory : RHSA-2014:0400

NEC Corporation

• NEC Security Information : NV15-004 (in Japanese)

Hitachi, Ltd

• Hitachi Software Vulnerability Information : HS14-008
• Hitachi Software Vulnerability Information : HS14-015
• Hitachi Software Vulnerability Information : HS14-016
• Hitachi Software Vulnerability Information : HS14-017

FUJITSU

• FUJITSU Security Information : Interstage Application Server: denial of service (DoS) vulnerability in Java EE 6 (CVE-2014-0050) (in Japanese)

1. Improper Input Validation(CWE-20) [IPA Evaluation]

1. CVE-2014-0050

1. JVN : JVN#14876762
2. National Vulnerability Database (NVD) : CVE-2014-0050
3. Related document : MGASA-2014-0110

• [2014/02/10]
    Web page was published
  [2014/02/13]
    Overview was modified
    Solution was modified
    Vendor Information : Content was added
  [2014/02/21]
    Solution was modified
    Vendor Information : Content was added
  [2014/02/24]
    Vendor Information : Content was added
  [2014/03/10]
    Solution was modified
    Vendor Information : Content was added
  [2014/03/28]
    Vendor Information : Content was added
  [2014/03/31]
    Vendor Information : Content was added
  [2014/04/02]
    References : Content was added
  [2014/05/13]
    Vendor Information : Content was added
  [2014/07/01]
    Vendor Information : Contents were added
  [2014/07/28]
    Vendor Information : Contents were added
  [2014/09/09]
    Vendor Information : Contents were added
  [2015/02/16]
    Vendor Information : Contents were added
  [2015/04/20]
    Vendor Information : Contents were added
  [2015/05/11]
    References : Content was added
  [2015/06/08]
    Vendor Information : Content was added
  [2015/06/26]
    Vendor Information : Contents were added
  [2015/10/22]
    Vendor Information : Contents were added
  [2015/12/25]
    Vendor Information : Contents were added
  [2016/01/28]
    Vendor Information : Contents were added
  [2016/12/27]
    Vendor Information : Contents were added