JVN#14876762
Apache Commons FileUpload vulnerable to denial-of-service (DoS)
Critical
Overview
Apache Commons FileUpload contains a denial-of-service (DoS) vulnerability.
Products Affected
- Commons FileUpload 1.0 to 1.3
- Apache Tomcat 8.0.0-RC1 to 8.0.1
- Apache Tomcat 7.0.0 to 7.0.50
- Products that use Apache Commons FileUpload
The developer also states that Apache Commons FileUpload is widely used for multiple Apache products, therefore, multiple Apache products other than Apache Tomcat may be affected by this vulnerability.
According to the developer, the following products may be affected.
- Jenkins
- JSPWiki
- JXP
- Lucene-Solr
- onemind-commons
- Spring
- Stapler
- Struts 1, 2
- WSDL2c
Description
Apache Commons FileUpload provided by Apache Software Foundation contains an issue in processing a multi-part request, which may cause the process to be in an infinite loop.
As of 2014 February 12, an exploit tool to attack against this vulnerability has been confirmed.
Impact
Processing a malformed request may cause the condition that the target system does not respond.
Solution
Update the Software
Update to the latest version that contains a fix fot this vulnerability:
In the developer's repository, the respective source code that contains a fix for this vulnerability has been released.
- Apache Commons FileUpload: http://svn.apache.org/r1565143
- Apache Tomcat 8: http://svn.apache.org/r1565163
- Apache Tomcat 7: http://svn.apache.org/r1565169
Applying the following workaround may mitigate the effect of this vulnerability.
- Limit the Content-Type header size less than 4091 bytes
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| NEC Corporation | Vulnerable | 2016/07/11 |
| Vendor | Link |
| ASF Apache Commons FileUpload | Download Apache Commons FileUpload -- Apache Commons FileUpload 1.3.1 |
| Apache Commons FileUpload 1.3.1 RELEASE NOTES | |
| [Apache-SVN] Revision 1565143 | |
| ASF Apache Tomcat | Apache Tomcat 8.0.3 |
| Fixed in Apache Tomcat 8.0.2 | |
| Apache Tomcat 7.0.52 | |
| Fixed in Apache Tomcat 7.0.51 | |
| ASF Apache Struts | Struts 2.3.16.1 |
| Announcements -- 21 February 2014 - Immediately upgrade commons-fileupload to version 1.3.1 | |
| Apache Software Foundation | www-announce mailing list archives -- CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Analyzed on 2014.02.10 Critical
| Measures | Conditions | Severity |
|---|---|---|
| Access Required | can be attacked over the Internet using packets |
|
| Authentication | anonymous or no authentication (IP addresses do not count) |
|
| User Interaction Required | the vulnerability can be exploited without an honest user taking any action |
|
| Exploit Complexity | some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls) |
|
Credit
Hitachi Incident Response Team (HIRT) reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2014-0050 |
| JVN iPedia |
JVNDB-2014-000017 |
Update History
- 2014/02/10
- Information under the section "Solution" was modified.
- 2014/02/12
- Information under the section "Description" and "Solution" was revised, and the vendor link under "Vendor Status" was added.
- 2014/02/20
- Information under the section "Solution" was revised, and the vendor link under "Vendor Status" was added.
- 2014/02/24
- Announcement from Apache Struts was added to "Vendor Status" section.
- 2014/02/25
- The version information Struts 1.2 was corrected to Struts 1, 2 in the "Products Affected" section.
- 2014/03/07
- Information under the section "Solution" and "Vendor Status" were updated.
- 2016/07/12
- NEC Corporation update status