JVN#89379547
Apache Commons FileUpload vulnerable to denial-of-service (DoS)
Overview
Apache Commons FileUpload contains a denial-of-service (DoS) vulnerability.
Products Affected
- Commons FileUpload 1.3 to 1.3.1
- Commons FileUpload 1.2 to 1.2.2
- Tomcat 9.0.0.M1 to 9.0.0M6
- Tomcat 8.5.0 to 8.5.2
- Tomcat 8.0.0.RC1 to 8.0.35
- Tomcat 7.0.0 to 7.0.69
- Struts 2.5.x and earlier
The developer also states that Apache Commons FileUpload is widely used for multiple Apache products, therefore, multiple Apache products other than Tomcat and Struts 2 may be affected by this vulnerability.
According to the developer, the following products may be affected.
- Jenkins
- JSPWiki
- JXP
- Lucene-Solr
- onemind-commons
- Spring
- Stapler
- Struts 1
- WSDL2c
Description
Apache Commons FileUpload provided by the Apache Software Foundation contains a flaw when processing multi-part requests, which may lead to a denial-of-service (DoS).
Impact
Processing a specially crafted request may result in the server's CPU resources to be exhausted.
Solution
Apply the update
Update to the latest version that contains a fix fot this vulnerability:
Apply a workaround
Until an update can be applied, the following workaround may mitigate the effect of this vulnerability.
- Llimit the maximum size of HTTP requests
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| FUJITSU LIMITED | Vulnerable | 2018/01/26 | |
| NEC Corporation | Vulnerable | 2016/09/15 | |
| NTT DATA Corporation | Vulnerable | 2016/08/03 | NTT DATA Corporation website |
References
JPCERT/CC Addendum
The title in the link under "Vendor Status" states an "information disclosure vulnerability" but "Denial of Service (DoS)" is correct.
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
TERASOLUNA FW(Struts1) Team of NTT DATA Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2016-3092 |
| JVN iPedia |
JVNDB-2016-000121 |
Update History
- 2016/07/01
- FUJITSU LIMITED update status
- 2016/07/06
- NEC Corporation update status
- 2016/07/07
- Fixed error under "Solution". FUJITSU LIMITED update status.
- 2016/08/04
- NTT DATA Corporation update status
- 2016/08/12
- NEC Corporation update status
- 2016/09/15
- NEC Corporation update status
- 2018/01/26
- FUJITSU LIMITED update status