You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Dennis Kieselhorst (JIRA)" <de...@myfaces.apache.org> on 2014/02/10 09:27:20 UTC

[jira] [Created] (TOBAGO-1364) CVE-2014-0050 Apache Commons FileUpload DoS

Dennis Kieselhorst created TOBAGO-1364:
------------------------------------------

             Summary: CVE-2014-0050 Apache Commons FileUpload DoS
                 Key: TOBAGO-1364
                 URL: https://issues.apache.org/jira/browse/TOBAGO-1364
             Project: MyFaces Tobago
          Issue Type: Bug
          Components: Core
    Affects Versions: 1.5.12, 2.0.0-alpha-3
            Reporter: Dennis Kieselhorst
            Priority: Critical


Specially crafted input can trigger a DoS if the buffer used by the MultipartStream is not big enough. The commons-fileupload dependency must be updated to 1.3.1 to fix this.

- -------- Original-Nachricht --------
Betreff:     [SECURITY] CVE-2014-0050 Apache Commons FileUpload and
Apache Tomcat DoS
Datum:     Thu, 06 Feb 2014 11:37:32 +0000
Von:     Mark Thomas <ma...@apache.org>
An:     Commons Users List <us...@commons.apache.org>, Tomcat Users List
<us...@tomcat.apache.org>
Kopie (CC):     Commons Developers List <de...@commons.apache.org>, Tomcat
Developers List <de...@tomcat.apache.org>,
full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com,
announce@apache.org, announce@tomcat.apache.org



CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- - Commons FileUpload 1.0 to 1.3
- - Apache Tomcat 8.0.0-RC1 to 8.0.1
- - Apache Tomcat 7.0.0 to 7.0.50
- - Apache Tomcat 6 and earlier are not affected

Apache Tomcat 7 and Apache Tomcat 8 use a packaged renamed copy of
Apache Commons FileUpload to implement the requirement of the Servlet
3.0 and later specifications to support the processing of
mime-multipart requests. Tomcat 7 and 8 are therefore affected by this
issue. While Tomcat 6 uses Commons FileUpload as part of the Manager
application, access to that functionality is limited to authenticated
administrators.

Description:
It is possible to craft a malformed Content-Type header for a
multipart request that causes Apache Commons FileUpload to enter an
infinite loop. A malicious user could, therefore, craft a malformed
request that triggered a denial of service.
This issue was reported responsibly to the Apache Software Foundation
via JPCERT but an error in addressing an e-mail led to the unintended
early disclosure of this issue[1].

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Commons FileUpload 1.3.1 or later once released
- - Upgrade to Apache Tomcat 8.0.2 or later once released
- - Upgrade to Apache Tomcat 7.0.51 or later once released
- - Apply the appropriate patch
  - Commons FileUpload: http://svn.apache.org/r1565143
  - Tomcat 8: http://svn.apache.org/r1565163
  - Tomcat 7: http://svn.apache.org/r1565169
- - Limit the size of the Content-Type header to less than 4091 bytes

Credit:
This issue was reported to the Apache Software Foundation via JPCERT.

References:
[1] http://markmail.org/message/kpfl7ax4el2owb3o
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)