Description
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Remediation
References
https://bugzilla.redhat.com/show_bug.cgi?id=1349468
http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121
http://svn.apache.org/viewvc?view=revision&revision=1743480
http://svn.apache.org/viewvc?view=revision&revision=1743738
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html
http://tomcat.apache.org/security-7.html
http://jvn.jp/en/jp/JVN89379547/index.html
http://svn.apache.org/viewvc?view=revision&revision=1743722
http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E
http://svn.apache.org/viewvc?view=revision&revision=1743742
http://www.debian.org/security/2016/dsa-3614
http://www.ubuntu.com/usn/USN-3027-1
http://www.debian.org/security/2016/dsa-3611
http://www.debian.org/security/2016/dsa-3609
http://www.ubuntu.com/usn/USN-3024-1
http://www.securityfocus.com/bid/91453
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html
https://security.gentoo.org/glsa/201705-09
http://www.securitytracker.com/id/1037029
http://www.securitytracker.com/id/1036900
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.securitytracker.com/id/1036427
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.securitytracker.com/id/1039606
https://access.redhat.com/errata/RHSA-2017:0456
https://access.redhat.com/errata/RHSA-2017:0455
http://rhn.redhat.com/errata/RHSA-2017-0457.html
http://rhn.redhat.com/errata/RHSA-2016-2808.html
http://rhn.redhat.com/errata/RHSA-2016-2807.html
http://rhn.redhat.com/errata/RHSA-2016-2599.html
http://rhn.redhat.com/errata/RHSA-2016-2072.html
http://rhn.redhat.com/errata/RHSA-2016-2071.html
http://rhn.redhat.com/errata/RHSA-2016-2070.html
http://rhn.redhat.com/errata/RHSA-2016-2069.html
http://rhn.redhat.com/errata/RHSA-2016-2068.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://security.netapp.com/advisory/ntap-20190212-0001/
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://security.gentoo.org/glsa/202107-39
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
Related Vulnerabilities
CVE-2022-48285 Vulnerability in maven package org.webjars.npm:github-com-stuk-jszip
CVE-2023-33941 Vulnerability in maven package com.liferay:com.liferay.oauth2.provider.rest
CVE-2022-36916 Vulnerability in maven package org.jenkins-ci.plugins:google-cloud-backup
CVE-2022-39381 Vulnerability in npm package hummus
CVE-2022-29161 Vulnerability in maven package org.xwiki.platform:xwiki-platform-crypto