[Japanese]
|
JVNDB-2016-000121
|
Apache Commons FileUpload vulnerable to denial-of-service (DoS)
|
Apache Commons FileUpload provided by the Apache Software Foundation contains a flaw when processing multi-part requests, which may lead to a denial-of-service (DoS).
TERASOLUNA FW(Struts1) Team of NTT DATA Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
|
CVSS V3 Severity: Base Metrics 5.3 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
CVSS V2 Severity: Base Metrics 5.0 (Medium) [IPA Score]
- Access Vector: Network
- Access Complexity: Low
- Authentication: None
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Partial
|
|
Apache Software Foundation
- Apache Struts 2.5.x and earlier
- Apache Tomcat 7.0.0 to 7.0.69
- Apache Tomcat 8.0.0.RC1 to 8.0.35
- Apache Tomcat 8.5.0 to 8.5.2
- Apache Tomcat 9.0.0.M1 to 9.0.0M6
- Commons FileUpload 1.2 to 1.2.2
- Commons FileUpload 1.3 to 1.3.1
|
According to the developer, the unsupported versions of Commons FileUpload 1.0.x and 1.1.x may also be affected.
The developer also states that Apache Commons FileUpload is widely used for multiple Apache products, therefore, multiple Apache products other than Tomcat and Struts 2 may be affected by this vulnerability.
According to the developer, the following products may be affected.
* Jenkins
* JSPWiki
* JXP
* Lucene-Solr
* onemind-commons
* Spring
* Stapler
* Struts 1
* WSDL2c
The title in the link under "Vendor Status" states an "information disclosure vulnerability" but "Denial of Service (DoS)" is correct.
|
Processing a specially crafted request may result in the server's CPU resources to be exhausted.
|
[Apply the update]
Update to the latest version that contains a fix fot this vulnerability:
* Commons Fileupload 1.3.2
* Tomcat 9.0.0M8
* Tomcat 8.5.3
* Tomcat 8.0.36
* Tomcat 7.0.70
User of Apache Struts should replace the copy of Commons FileUpload with the fixed version.
[Apply a workaround]
Until an update can be applied, the following workaround may mitigate the effect of this vulnerability.
* Llimit the maximum size of HTTP requests
According to the developer, Apache Httpd contains the LimitRequestFieldSize directive and Apache Tomcat contains the maxHttpHeaderSize attribute in their respective configuration files to limit the maximum size for HTTP requests. Also it is stated that limiting the maximum size to 2048 bytes will mitigate this vulnerability. For more details, refer to the information provided by the developer.
|
Apache Software Foundation
Canonical
Debian
Oracle Corporation
Hewlett Packard Enterprise Co.
Red Hat, Inc.
NTT DATA
NEC Corporation
- NEC Security Information : NV16-018 (in Japanese)
Hitachi, Ltd
- Hitachi Software Vulnerability Information : HS16-022
- Hitachi Software Vulnerability Information : HS16-026
- Hitachi Software Vulnerability Information : HS16-029
- Hitachi Software Vulnerability Information : HS16-030
- Hitachi Software Vulnerability Information : hitachi-sec-2017-105
FUJITSU
|
- Improper Input Validation(CWE-20) [IPA Evaluation]
|
- CVE-2016-3092
|
- JVN : JVN#89379547
- National Vulnerability Database (NVD) : CVE-2016-3092
|
- [2016/06/30]
Web page was published
[2016/07/07]
Solution was modified
[2016/08/03]
Vendor Information : Contents were added
References : Content was added
[2016/08/26]
Vendor Information : Content was added
[2016/09/07]
Vendor Information : Contents were added
[2016/09/30]
Vendor Information : Content was added
[2016/11/09]
Vendor Information : Contents were added
[2017/02/20]
Vendor Information : Content was added
[2018/01/29]
Vendor Information : Content was added
|