Description
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Remediation
References
https://bugzilla.redhat.com/show_bug.cgi?id=1349468
http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121
http://svn.apache.org/viewvc?view=revision&revision=1743480
http://svn.apache.org/viewvc?view=revision&revision=1743738
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html
http://tomcat.apache.org/security-7.html
http://jvn.jp/en/jp/JVN89379547/index.html
http://svn.apache.org/viewvc?view=revision&revision=1743722
http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E
http://svn.apache.org/viewvc?view=revision&revision=1743742
http://www.debian.org/security/2016/dsa-3614
http://www.ubuntu.com/usn/USN-3027-1
http://www.debian.org/security/2016/dsa-3611
http://www.debian.org/security/2016/dsa-3609
http://www.ubuntu.com/usn/USN-3024-1
http://www.securityfocus.com/bid/91453
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html
https://security.gentoo.org/glsa/201705-09
http://www.securitytracker.com/id/1037029
http://www.securitytracker.com/id/1036900
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.securitytracker.com/id/1036427
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.securitytracker.com/id/1039606
https://access.redhat.com/errata/RHSA-2017:0456
https://access.redhat.com/errata/RHSA-2017:0455
http://rhn.redhat.com/errata/RHSA-2017-0457.html
http://rhn.redhat.com/errata/RHSA-2016-2808.html
http://rhn.redhat.com/errata/RHSA-2016-2807.html
http://rhn.redhat.com/errata/RHSA-2016-2599.html
http://rhn.redhat.com/errata/RHSA-2016-2072.html
http://rhn.redhat.com/errata/RHSA-2016-2071.html
http://rhn.redhat.com/errata/RHSA-2016-2070.html
http://rhn.redhat.com/errata/RHSA-2016-2069.html
http://rhn.redhat.com/errata/RHSA-2016-2068.html
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://security.netapp.com/advisory/ntap-20190212-0001/
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://security.gentoo.org/glsa/202107-39
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
Related Vulnerabilities
CVE-2023-25753 Vulnerability in maven package org.apache.shenyu:shenyu-admin
CVE-2023-49299 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-master
CVE-2022-22965 Vulnerability in maven package org.springframework.boot:spring-boot-starter-webflux
CVE-2022-24614 Vulnerability in maven package com.drewnoakes:metadata-extractor
CVE-2022-34298 Vulnerability in maven package org.openidentityplatform.openam:openam-auth-nt