Published:2016/06/30  Last Updated:2016/09/15

JVN#89379547
Apache Commons FileUpload vulnerable to denial-of-service (DoS)

Overview

Apache Commons FileUpload contains a denial-of-service (DoS) vulnerability.

Products Affected

  • Commons FileUpload 1.3 to 1.3.1
  • Commons FileUpload 1.2 to 1.2.2
  • Tomcat 9.0.0.M1 to 9.0.0M6
  • Tomcat 8.5.0 to 8.5.2
  • Tomcat 8.0.0.RC1 to 8.0.35
  • Tomcat 7.0.0 to 7.0.69
  • Struts 2.5.x and earlier
According to the developer, the unsupported versions of Commons FileUpload 1.0.x and 1.1.x may also be affected.

The developer also states that Apache Commons FileUpload is widely used for multiple Apache products, therefore, multiple Apache products other than  Tomcat and Struts 2 may be affected by this vulnerability.
According to the developer, the following products may be affected.
  • Jenkins
  • JSPWiki
  • JXP
  • Lucene-Solr
  • onemind-commons
  • Spring
  • Stapler
  • Struts 1
  • WSDL2c

Description

Apache Commons FileUpload provided by the Apache Software Foundation contains a flaw when processing multi-part requests, which may lead to a denial-of-service (DoS).

Impact

Processing a specially crafted request may result in the server's CPU resources to be exhausted.

Solution

Apply the update
Update to the latest version that contains a fix fot this vulnerability:

User of Apache Struts should replace the copy of Commons FileUpload with the fixed version.

Apply a workaround
Until an update can be applied, the following workaround may mitigate the effect of this vulnerability.
  • Llimit the maximum size of HTTP requests
According to the developer, Apache Httpd contains the LimitRequestFieldSize directive and Apache Tomcat contains the maxHttpHeaderSize attribute in their respective configuration files to limit the maximum size for HTTP requests. Also it is stated that limiting the maximum size to 2048 bytes will mitigate this vulnerability. For more details, refer to the information provided by the developer.

References

JPCERT/CC Addendum

The title in the link under "Vendor Status" states an "information disclosure vulnerability" but "Denial of Service (DoS)" is correct.

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score: 5.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:L/Au:N/C:N/I:N/A:P
Base Score: 5.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

TERASOLUNA FW(Struts1) Team of NTT DATA Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2016-3092
JVN iPedia JVNDB-2016-000121

Update History

2016/07/01
FUJITSU LIMITED update status
2016/07/06
NEC Corporation update status
2016/07/07
Fixed error under "Solution". FUJITSU LIMITED update status.
2016/08/04
NTT DATA Corporation update status
2016/08/12
NEC Corporation update status
2016/09/15
NEC Corporation update status