Apache Commons FileUpload vulnerable to denial-of-service (DoS)


Apache Commons FileUpload contains a denial-of-service (DoS) vulnerability.

Apache Commons FileUpload provided by Apache Software Foundation contains an issue in processing a multi-part request, which may cause the process to be in an infinite loop.

As of 2014 February 12, an exploit tool to attack against this vulnerability has been confirmed.

Hitachi Incident Response Team (HIRT) reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
Affected Products

Apache Software Foundation
  • Apache Tomcat 8.0.0-RC1 to 8.0.1
  • Apache Tomcat 7.0.0 to 7.0.50
  • Commons FileUpload 1.0 to 1.3

Products that use Apache Commons FileUpload, are affected by this vulnerability.

According to the developer, Apache Tomcat 6 and earlier are not affected.

The developer also states that Apache Commons FileUpload is widely used for multiple Apache products, therefore, multiple Apache products other than Apache Tomcat may be affected by this vulnerability.
According to the developer, the following products may be affected.
* Jenkins
* JSPWiki
* Lucene-Solr
* onemind-commons
* Spring
* Stapler
* Struts 1, 2
* WSDL2c

Processing a malformed request may cause the condition that the target system does not respond.

[Update the Software]
Update to the latest version that contains a fix fot this vulnerability:

* Apache Commons FileUpload 1.3.1

* Apache Tomcat 8.0.3

* Apache Tomcat 7.0.52

* Apache Struts

[Apply the Patch]
In the developer's repository, the respective source code that contains a fix for this vulnerability has been released.

* Apache Commons FileUpload: http://svn.apache.org/r1565143
* Apache Tomcat 8: http://svn.apache.org/r1565163
* Apache Tomcat 7: http://svn.apache.org/r1565169

Applying the following workaround may mitigate the effect of this vulnerability.

* Limit the Content-Type header size less than 4091 bytes

For more information, please refer to the developer's site.
Vendor Information

Apache Software Foundation Huawei IBM Corporation VMware Oracle Corporation Red Hat, Inc. NEC Corporation
  • NEC Security Information : NV15-004 (in Japanese)
Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS14-008
  • Hitachi Software Vulnerability Information : HS14-015
  • Hitachi Software Vulnerability Information : HS14-016
  • Hitachi Software Vulnerability Information : HS14-017
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-0050

  1. JVN : JVN#14876762
  2. National Vulnerability Database (NVD) : CVE-2014-0050
  3. Related document : MGASA-2014-0110
Revision History

  • [2014/02/10]
      Web page was published
      Overview was modified
      Solution was modified
      Vendor Information : Content was added
      Solution was modified
      Vendor Information : Content was added
      Vendor Information : Content was added
      Solution was modified
      Vendor Information : Content was added
      Vendor Information : Content was added
      Vendor Information : Content was added
      References : Content was added
      Vendor Information : Content was added
      Vendor Information : Contents were added
      Vendor Information : Contents were added
      Vendor Information : Contents were added
      Vendor Information : Contents were added
      Vendor Information : Contents were added
      References : Content was added
      Vendor Information : Content was added
      Vendor Information : Contents were added
      Vendor Information : Contents were added
      Vendor Information : Contents were added
      Vendor Information : Contents were added
      Vendor Information : Contents were added