[Japanese]

JVNDB-2014-000017

Apache Commons FileUpload vulnerable to denial-of-service (DoS)

Overview

Apache Commons FileUpload contains a denial-of-service (DoS) vulnerability.

Apache Commons FileUpload provided by Apache Software Foundation contains an issue in processing a multi-part request, which may cause the process to be in an infinite loop.

As of 2014 February 12, an exploit tool to attack against this vulnerability has been confirmed.

Hitachi Incident Response Team (HIRT) reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
Affected Products


Apache Software Foundation
  • Apache Tomcat 8.0.0-RC1 to 8.0.1
  • Apache Tomcat 7.0.0 to 7.0.50
  • Commons FileUpload 1.0 to 1.3

Products that use Apache Commons FileUpload, are affected by this vulnerability.

According to the developer, Apache Tomcat 6 and earlier are not affected.

The developer also states that Apache Commons FileUpload is widely used for multiple Apache products, therefore, multiple Apache products other than Apache Tomcat may be affected by this vulnerability.
According to the developer, the following products may be affected.
* Jenkins
* JSPWiki
* JXP
* Lucene-Solr
* onemind-commons
* Spring
* Stapler
* Struts 1, 2
* WSDL2c
Impact

Processing a malformed request may cause the condition that the target system does not respond.
Solution

[Update the Software]
Update to the latest version that contains a fix fot this vulnerability:

* Apache Commons FileUpload 1.3.1
http://commons.apache.org/proper/commons-fileupload/download_fileupload.cgi

* Apache Tomcat 8.0.3
http://www.apache.org/dist/tomcat/tomcat-8/v8.0.3/

* Apache Tomcat 7.0.52
http://www.apache.org/dist/tomcat/tomcat-7/v7.0.52/

* Apache Struts 2.3.16.1
http://struts.apache.org/download.cgi#struts23161

[Apply the Patch]
In the developer's repository, the respective source code that contains a fix for this vulnerability has been released.

* Apache Commons FileUpload: http://svn.apache.org/r1565143
* Apache Tomcat 8: http://svn.apache.org/r1565163
* Apache Tomcat 7: http://svn.apache.org/r1565169

[Workaround]
Applying the following workaround may mitigate the effect of this vulnerability.

* Limit the Content-Type header size less than 4091 bytes

For more information, please refer to the developer's site.
Vendor Information

Apache Software Foundation Huawei IBM Corporation VMware Oracle Corporation Red Hat, Inc. NEC Corporation
  • NEC Security Information : NV15-004 (in Japanese)
Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS14-008
  • Hitachi Software Vulnerability Information : HS14-015
  • Hitachi Software Vulnerability Information : HS14-016
  • Hitachi Software Vulnerability Information : HS14-017
FUJITSU
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2014-0050
References

  1. JVN : JVN#14876762
  2. National Vulnerability Database (NVD) : CVE-2014-0050
  3. Related document : MGASA-2014-0110
Revision History

  • [2014/02/10]
      Web page was published
    [2014/02/13]
      Overview was modified
      Solution was modified
      Vendor Information : Content was added
    [2014/02/21]
      Solution was modified
      Vendor Information : Content was added
    [2014/02/24]
      Vendor Information : Content was added
    [2014/03/10]
      Solution was modified
      Vendor Information : Content was added
    [2014/03/28]
      Vendor Information : Content was added
    [2014/03/31]
      Vendor Information : Content was added
    [2014/04/02]
      References : Content was added
    [2014/05/13]
      Vendor Information : Content was added
    [2014/07/01]
      Vendor Information : Contents were added
    [2014/07/28]
      Vendor Information : Contents were added
    [2014/09/09]
      Vendor Information : Contents were added
    [2015/02/16]
      Vendor Information : Contents were added
    [2015/04/20]
      Vendor Information : Contents were added
    [2015/05/11]
      References : Content was added
    [2015/06/08]
      Vendor Information : Content was added
    [2015/06/26]
      Vendor Information : Contents were added
    [2015/10/22]
      Vendor Information : Contents were added
    [2015/12/25]
      Vendor Information : Contents were added
    [2016/01/28]
      Vendor Information : Contents were added
    [2016/12/27]
      Vendor Information : Contents were added