Published:2016/06/30  Last Updated:2016/09/15

Apache Commons FileUpload vulnerable to denial-of-service (DoS)


Apache Commons FileUpload contains a denial-of-service (DoS) vulnerability.

Products Affected

  • Commons FileUpload 1.3 to 1.3.1
  • Commons FileUpload 1.2 to 1.2.2
  • Tomcat 9.0.0.M1 to 9.0.0M6
  • Tomcat 8.5.0 to 8.5.2
  • Tomcat 8.0.0.RC1 to 8.0.35
  • Tomcat 7.0.0 to 7.0.69
  • Struts 2.5.x and earlier
According to the developer, the unsupported versions of Commons FileUpload 1.0.x and 1.1.x may also be affected.

The developer also states that Apache Commons FileUpload is widely used for multiple Apache products, therefore, multiple Apache products other than  Tomcat and Struts 2 may be affected by this vulnerability.
According to the developer, the following products may be affected.
  • Jenkins
  • JSPWiki
  • JXP
  • Lucene-Solr
  • onemind-commons
  • Spring
  • Stapler
  • Struts 1
  • WSDL2c


Apache Commons FileUpload provided by the Apache Software Foundation contains a flaw when processing multi-part requests, which may lead to a denial-of-service (DoS).


Processing a specially crafted request may result in the server's CPU resources to be exhausted.


Apply the update
Update to the latest version that contains a fix fot this vulnerability:

User of Apache Struts should replace the copy of Commons FileUpload with the fixed version.

Apply a workaround
Until an update can be applied, the following workaround may mitigate the effect of this vulnerability.
  • Llimit the maximum size of HTTP requests
According to the developer, Apache Httpd contains the LimitRequestFieldSize directive and Apache Tomcat contains the maxHttpHeaderSize attribute in their respective configuration files to limit the maximum size for HTTP requests. Also it is stated that limiting the maximum size to 2048 bytes will mitigate this vulnerability. For more details, refer to the information provided by the developer.


JPCERT/CC Addendum

The title in the link under "Vendor Status" states an "information disclosure vulnerability" but "Denial of Service (DoS)" is correct.

Vulnerability Analysis by JPCERT/CC

Base Score: 5.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
Base Score: 5.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)


TERASOLUNA FW(Struts1) Team of NTT DATA Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2016-3092
JVN iPedia JVNDB-2016-000121

Update History

FUJITSU LIMITED update status
NEC Corporation update status
Fixed error under "Solution". FUJITSU LIMITED update status.
NTT DATA Corporation update status
NEC Corporation update status
NEC Corporation update status