Description

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=1349468

http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121

http://svn.apache.org/viewvc?view=revision&revision=1743480

http://svn.apache.org/viewvc?view=revision&revision=1743738

http://tomcat.apache.org/security-8.html

http://tomcat.apache.org/security-9.html

http://tomcat.apache.org/security-7.html

http://jvn.jp/en/jp/JVN89379547/index.html

http://svn.apache.org/viewvc?view=revision&revision=1743722

http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E

http://svn.apache.org/viewvc?view=revision&revision=1743742

http://www.debian.org/security/2016/dsa-3614

http://www.ubuntu.com/usn/USN-3027-1

http://www.debian.org/security/2016/dsa-3611

http://www.debian.org/security/2016/dsa-3609

http://www.ubuntu.com/usn/USN-3024-1

http://www.securityfocus.com/bid/91453

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371

http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759

http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html

https://security.gentoo.org/glsa/201705-09

http://www.securitytracker.com/id/1037029

http://www.securitytracker.com/id/1036900

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html

http://www.securitytracker.com/id/1036427

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.securitytracker.com/id/1039606

https://access.redhat.com/errata/RHSA-2017:0456

https://access.redhat.com/errata/RHSA-2017:0455

http://rhn.redhat.com/errata/RHSA-2017-0457.html

http://rhn.redhat.com/errata/RHSA-2016-2808.html

http://rhn.redhat.com/errata/RHSA-2016-2807.html

http://rhn.redhat.com/errata/RHSA-2016-2599.html

http://rhn.redhat.com/errata/RHSA-2016-2072.html

http://rhn.redhat.com/errata/RHSA-2016-2071.html

http://rhn.redhat.com/errata/RHSA-2016-2070.html

http://rhn.redhat.com/errata/RHSA-2016-2069.html

http://rhn.redhat.com/errata/RHSA-2016-2068.html

http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

https://security.netapp.com/advisory/ntap-20190212-0001/

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://www.oracle.com/security-alerts/cpuapr2020.html

https://security.gentoo.org/glsa/202107-39

https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Related Vulnerabilities

CVE-2022-40309 Vulnerability in maven package org.apache.archiva:maven2-repository

CVE-2022-36896 Vulnerability in maven package com.compuware.jenkins:compuware-scm-downloader

CVE-2019-17554 Vulnerability in maven package org.apache.olingo:odata-server-api

CVE-2023-35160 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2020-2162 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

High

Classification

CWE-20 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Tags

Issue Tracking VDB Entry Vendor Advisory Mailing List Third Party Advisory Patch Permissions Required