[Japanese]

JVNDB-2016-000121

Apache Commons FileUpload vulnerable to denial-of-service (DoS)

Overview

Apache Commons FileUpload provided by the Apache Software Foundation contains a flaw when processing multi-part requests, which may lead to a denial-of-service (DoS).

TERASOLUNA FW(Struts1) Team of NTT DATA Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 5.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
Affected Products


Apache Software Foundation
  • Apache Struts 2.5.x and earlier
  • Apache Tomcat 7.0.0 to 7.0.69
  • Apache Tomcat 8.0.0.RC1 to 8.0.35
  • Apache Tomcat 8.5.0 to 8.5.2
  • Apache Tomcat 9.0.0.M1 to 9.0.0M6
  • Commons FileUpload 1.2 to 1.2.2
  • Commons FileUpload 1.3 to 1.3.1

According to the developer, the unsupported versions of Commons FileUpload 1.0.x and 1.1.x may also be affected.

The developer also states that Apache Commons FileUpload is widely used for multiple Apache products, therefore, multiple Apache products other than Tomcat and Struts 2 may be affected by this vulnerability. According to the developer, the following products may be affected.
* Jenkins
* JSPWiki
* JXP
* Lucene-Solr
* onemind-commons
* Spring
* Stapler
* Struts 1
* WSDL2c


The title in the link under "Vendor Status" states an "information disclosure vulnerability" but "Denial of Service (DoS)" is correct.
Impact

Processing a specially crafted request may result in the server's CPU resources to be exhausted.
Solution

[Apply the update]
Update to the latest version that contains a fix fot this vulnerability:
* Commons Fileupload 1.3.2
* Tomcat 9.0.0M8
* Tomcat 8.5.3
* Tomcat 8.0.36
* Tomcat 7.0.70
User of Apache Struts should replace the copy of Commons FileUpload with the fixed version.

[Apply a workaround]
Until an update can be applied, the following workaround may mitigate the effect of this vulnerability.
* Llimit the maximum size of HTTP requests

According to the developer, Apache Httpd contains the LimitRequestFieldSize directive and Apache Tomcat contains the maxHttpHeaderSize attribute in their respective configuration files to limit the maximum size for HTTP requests. Also it is stated that limiting the maximum size to 2048 bytes will mitigate this vulnerability. For more details, refer to the information provided by the developer.
Vendor Information

Apache Software Foundation Canonical Debian Oracle Corporation Hewlett Packard Enterprise Co. Red Hat, Inc. NTT DATA NEC Corporation
  • NEC Security Information : NV16-018 (in Japanese)
Hitachi, Ltd
  • Hitachi Software Vulnerability Information : HS16-022
  • Hitachi Software Vulnerability Information : HS16-026
  • Hitachi Software Vulnerability Information : HS16-029
  • Hitachi Software Vulnerability Information : HS16-030
  • Hitachi Software Vulnerability Information : hitachi-sec-2017-105
FUJITSU
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2016-3092
References

  1. JVN : JVN#89379547
  2. National Vulnerability Database (NVD) : CVE-2016-3092
Revision History

  • [2016/06/30]
      Web page was published
    [2016/07/07]
      Solution was modified
    [2016/08/03]
      Vendor Information : Contents were added
      References : Content was added
    [2016/08/26]
      Vendor Information : Content was added
    [2016/09/07]
      Vendor Information : Contents were added
    [2016/09/30]
      Vendor Information : Content was added
    [2016/11/09]
      Vendor Information : Contents were added
    [2017/02/20]
      Vendor Information : Content was added
    [2018/01/29]
      Vendor Information : Content was added