You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2014/02/06 12:37:32 UTC
[SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat
DoS
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - Commons FileUpload 1.0 to 1.3
- - Apache Tomcat 8.0.0-RC1 to 8.0.1
- - Apache Tomcat 7.0.0 to 7.0.50
- - Apache Tomcat 6 and earlier are not affected
Apache Tomcat 7 and Apache Tomcat 8 use a packaged renamed copy of
Apache Commons FileUpload to implement the requirement of the Servlet
3.0 and later specifications to support the processing of
mime-multipart requests. Tomcat 7 and 8 are therefore affected by this
issue. While Tomcat 6 uses Commons FileUpload as part of the Manager
application, access to that functionality is limited to authenticated
administrators.
Description:
It is possible to craft a malformed Content-Type header for a
multipart request that causes Apache Commons FileUpload to enter an
infinite loop. A malicious user could, therefore, craft a malformed
request that triggered a denial of service.
This issue was reported responsibly to the Apache Software Foundation
via JPCERT but an error in addressing an e-mail led to the unintended
early disclosure of this issue[1].
Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Commons FileUpload 1.3.1 or later once released
- - Upgrade to Apache Tomcat 8.0.2 or later once released
- - Upgrade to Apache Tomcat 7.0.51 or later once released
- - Apply the appropriate patch
- Commons FileUpload: http://svn.apache.org/r1565143
- Tomcat 8: http://svn.apache.org/r1565163
- Tomcat 7: http://svn.apache.org/r1565169
- - Limit the size of the Content-Type header to less than 4091 bytes
Credit:
This issue was reported to the Apache Software Foundation via JPCERT.
References:
[1] http://markmail.org/message/kpfl7ax4el2owb3o
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJS83P8AAoJEBDAHFovYFnnbOwP/0m80St7x63n6VCiR0aGuGLz
/J004spHfbc+vtg2RumObBTX6mSfvPgO2R4FzE17Etg8QtWreoxb7kjnVXUwjdMX
nb3Yt6IY1yBW1K+YcZRziOQXkRnnjnpC7Lh2o5eqpJ1S7wpXl5PBIXYSxMAsJCuv
axFA0aq5cc17uDAH1z6DPk4149oZz2lHdlBUTTkCh/0PrvcIFxwpej75gUfyaV0y
DGZLs3IpRYcJMS131q72DUt9wBsIqJN0mqUOq2svBS3mlXBcKDjy21b8QiEr8itK
UqwsYUtOZP4nZ4u8j6euxF2fC/ivm/930OGOl9pn2SbkoHJKm/4rz2GYDA9jq07K
XEDeGdTx3ZuDaTaBER8xquETRZ/Rb8dbBxQwzmo6doJNOjsMQFlR+1F+p56AhYd0
klbT6Q7i/Ic3BdRJkUpaYshhtXeAOnH+0u9j4kRXMgJbkMgOacopomFX6HoXr9/i
RHGbwwSZViLooR88Yg0FU2230+9mJLXxaJ6usHrtq4dS9ElSV320OCyisNjMX5hi
5SFYMSy+z0nsK2O6yCzlukztoFhvaNecvy3I8w5EKytweyFlPzxXn6QpQjG+ffb5
ql7TZRrApiaewp4crzBcZSAjDzRNiQpcI2xTTN/H9u/yk8lrhOULi4pljKCudvmM
eIWblFdpoPVl0iqvsXA9
=uzLf
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache
Tomcat DoS
Posted by Mark Thomas <ma...@apache.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 06/02/2014 17:15, Christopher Schultz wrote:
> Mark,
>
> On 2/6/14, 6:37 AM, Mark Thomas wrote:
>> Mitigation: [...] - Limit the size of the Content-Type header to
>> less than 4091 bytes
>
> Just confirming that I've read this properly: limiting the size of
> the content-type *header* to 4901 bytes? So, don't accept
> "Content-Type: [4k worth of data]" as a header?
Correct. It is actually a little more specific than that but broadly, yes.
Mark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJS88X1AAoJEBDAHFovYFnncb4QALJc6EcNu8+qwjayeqD6UT4n
Z11pLcaUcj4FRaYx6ihFYBRamUyUQGjRVmlEkxwO24KeISySmPVBBVw0pwWw4ssr
e0k5qDTmyxTac05GABtMurngU+W400hHtlGFS3j8FgEUN80HAUOJUkUGeTaVzn0c
PQy1sB+n7yeL4K+zeJum7xb8v54ksrzWqeygoncXkZ6BYk5wiMnKc3ueY3hrHCo1
TQlOFM0pZVUEJwHLG0nm1abyrTU1GbEUFWWjhGw2JFndlw6iLcS8z8apDIU9n3me
K454eg+UjQNEpwAQh44uoDrh2w9cVEHriLMEF6ize1kvuCF3moHSDYrOqE8NlquJ
+trszeTe+sQ32K+crMl8Desvl1vMn48Z13tj55s3tqgpnAG9Pj+EvQDcy9jkRSLv
9J9SfS+JOhabN9eh1ujA4gQ1Hm+vYaacELrm94H/t/GjtMwuu7FqJBbXkdTmd1aX
ivGFiZYHp/Ksbm0LCObndR9M7ogNd24/2Nkv3cYVQ8e/jKZHzsoTZywstFv2VeBD
KOW0i5OxmrlLoW6dvXqrkg4L+WBgp+TSY7bmlsoBlOJMkLkqhiSO394IrEZS1uUs
AvIBN5bI7kSit7u1Q1reiZtVJ2x4Hl2vX2pfqNJMtb/D+o78/c3AzyAKDTuwnkWO
m4cFp30sTs0fM6DDjadh
=JJ7D
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache
Tomcat DoS
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 2/6/14, 6:37 AM, Mark Thomas wrote:
> Mitigation:
> [...]
> - Limit the size of the Content-Type header to less than 4091 bytes
Just confirming that I've read this properly: limiting the size of the
content-type *header* to 4901 bytes? So, don't accept "Content-Type: [4k
worth of data]" as a header?
Thanks,
-chris