Published:2014/02/10  Last Updated:2016/07/12

JVN#14876762
Apache Commons FileUpload vulnerable to denial-of-service (DoS)
Critical

Overview

Apache Commons FileUpload contains a denial-of-service (DoS) vulnerability.

Products Affected

  • Commons FileUpload 1.0 to 1.3
  • Apache Tomcat 8.0.0-RC1 to 8.0.1
  • Apache Tomcat 7.0.0 to 7.0.50
  • Products that use Apache Commons FileUpload
According to the developer, Apache Tomcat 6 and earlier are not affected.

The developer also states that Apache Commons FileUpload is widely used for multiple Apache products, therefore, multiple Apache products other than Apache Tomcat may be affected by this vulnerability.
According to the developer, the following products may be affected.
  • Jenkins
  • JSPWiki
  • JXP
  • Lucene-Solr
  • onemind-commons
  • Spring
  • Stapler
  • Struts 1, 2
  • WSDL2c

Description

Apache Commons FileUpload provided by Apache Software Foundation contains an issue in processing a multi-part request, which may cause the process to be in an infinite loop.

As of 2014 February 12, an exploit tool to attack against this vulnerability has been confirmed.

Impact

Processing a malformed request may cause the condition that the target system does not respond.

Solution

Update the Software
Update to the latest version that contains a fix fot this vulnerability:

Apply the Patch
In the developer's repository, the respective source code that contains a fix for this vulnerability has been released. Workaround
Applying the following workaround may mitigate the effect of this vulnerability.
  • Limit the Content-Type header size less than 4091 bytes
For more information, please refer to the developer's site.

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2014.02.10  Critical

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Mid-High

Description of each analysis measures

Credit

Hitachi Incident Response Team (HIRT) reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2014-0050
JVN iPedia JVNDB-2014-000017

Update History

2014/02/10
Information under the section "Solution" was modified.
2014/02/12
Information under the section "Description" and "Solution" was revised, and the vendor link under "Vendor Status" was added.
2014/02/20
Information under the section "Solution" was revised, and the vendor link under "Vendor Status" was added.
2014/02/24
Announcement from Apache Struts was added to "Vendor Status" section.
2014/02/25
The version information Struts 1.2 was corrected to Struts 1, 2 in the "Products Affected" section.
2014/03/07
Information under the section "Solution" and "Vendor Status" were updated.
2016/07/12
NEC Corporation update status