JPCERT-AT-2014-0007
JPCERT/CC
2014-02-10
2014-02-10 (First edition)
2014-02-20 (Updated)
2014-03-07 (Updated)
<<< JPCERT/CC Alert 2014-02-10 >>>
[Updated] Vulnerability in Apache Commons FileUpload and Apache Tomcat
https://www.jpcert.or.jp/english/at/2014/at140007.html
I. Overview
Apache Commons FileUpload and Apache Tomcat contain a vulnerability
in the processing of multipart requests. As a result, a denial-of-service
(DoS) attack may be conducted by a remote attacker when sending a specially
crafted HTTP request to a web server. For more details on the vulnerability,
please refer to the information provided by the Apache Software Foundation.
[SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS
http://mail-archives.us.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E
II. Affected Systems
According to the information provided by the Apache Software Foundation the
software versions below are affected by this issue:
- Apache Commons FileUpload 1.0 through 1.3
- Apache Tomcat 8.0.0-RC1 through 8.0.1
- Apache Tomcat 7.0.0 through 7.0.50
Other software that uses Apache Commons FileUpload may also be affected.
III. Solution
The Apache Software Foundation has released a version of Apache Commons
FileUpload that addresses this vulnerability. We recommend updating to this
version after thorough testing.
- Apache Commons FileUpload 1.3.1
http://commons.apache.org/proper/commons-fileupload/download_fileupload.cgi
*** Update: Revised on March 7, 2014 *********************************
The Apache Software Foundation has released a version of Apache Tomcat 7
and 8 that addresses this vulnerability. We recommend updating to this
version after thorough testing.
- Apache Tomcat 7 Downloads
http://tomcat.apache.org/download-70.cgi
- Apache Tomcat 8 Downloads
http://tomcat.apache.org/download-80.cgi
Additionally, Apache Struts 2.3.16.1 which includes Apache Commons
FileUpload that addresses this vulnerability is released.
- Download a Release Struts 2.3.16.1
https://struts.apache.org/download.cgi#struts23161
It is recommended to update to the version that addresses this
vulnerability, after thorough testing. If the above solution cannot be
applied, please consider applying the following workaround.
- Limit the size of the Content-Type header to less than 4091 bytes
**********************************************************************
IV. References
JVN#14876762 (Japanese)
Apache Commons FileUpload vulnerable to denial-of-service (DoS) (Critical)
https://jvn.jp/en/jp/JVN14876762/index.html
Apache Software Foundation
FileUpload - Release Notes
http://commons.apache.org/proper/commons-fileupload/changes-report.html
*** Update: Revised on February 20, 2014 *********************************
Apache Software Foundation
Apache Tomcat 7 (7.0.52) - Changelog
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html#Tomcat_7.0.51_(violetagg)
Apache Software Foundation
Apache Tomcat 8 (8.0.3) - Changelog
http://tomcat.apache.org/tomcat-8.0-doc/changelog.html#Tomcat_8.0.2_(markt)
**********************************************************************
*** Update: Revised on March 7, 2014 *************************************
Apache Software Foundation
Apache Struts 2 Documentation S2-020
https://struts.apache.org/release/2.3.x/docs/s2-020.html
**********************************************************************
If you have any information regarding this alert, please contact
JPCERT/CC.
======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600 FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/
Top