The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Tomcat: denial of service via Apache Commons FileUpload

Synthesis of the vulnerability 

An attacker can use a long Content-Type header, to generate an infinite loop in Apache Commons FileUpload or Apache Tomcat, in order to trigger a denial of service.
Impacted systems: Tomcat, Debian, BIG-IP Hardware, TMOS, Fedora, SiteScope, Domino by IBM, QRadar SIEM, Tivoli Storage Manager, WebSphere AS Traditional, ePO, openSUSE, Oracle Communications, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive, vCenter Server, VMware vSphere.
Severity of this alert: 3/4.
Creation date: 06/02/2014.
Revision date: 13/02/2014.
Références of this alert: 1667254, 1676656, 1680564, 1999395, 1999474, 1999478, 1999479, 1999488, 1999532, 2015814, BID-65400, c05324755, CERTFR-2014-AVI-200, CERTFR-2014-AVI-282, CERTFR-2014-AVI-368, CERTFR-2014-AVI-382, cpuoct2016, CVE-2014-0050, DSA-2856-1, DSA-2897-1, FEDORA-2014-2175, FEDORA-2014-2183, HPSBGN03669, MDVSA-2014:056, MDVSA-2015:084, openSUSE-SU-2014:0527-1, openSUSE-SU-2014:0528-1, RHSA-2014:0252-01, RHSA-2014:0253-01, RHSA-2014:0373-01, RHSA-2014:0400-03, RHSA-2014:0401-02, RHSA-2014:0429-01, RHSA-2014:0452-01, RHSA-2014:0459-01, RHSA-2014:0473-01, RHSA-2014:0525-01, RHSA-2014:0526-01, RHSA-2014:0527-01, RHSA-2014:0528-01, RHSA-2015:1009, SB10079, SOL15189, SUSE-SU-2014:0548-1, USN-2130-1, VIGILANCE-VUL-14183, VMSA-2014-0007, VMSA-2014-0007.1, VMSA-2014-0007.2, VMSA-2014-0008, VMSA-2014-0008.2, VMSA-2014-0012.

Description of the vulnerability 

The Apache Commons FileUpload component manages the file upload feature. It is included in Apache Tomcat.

The HTTP Content-Type header indicates the type of the query body. However, if the size of this header is larger than 4091 bytes, the fileupload/MultipartStream.java class indefinitely tries to store data in an array which is too short.

An attacker can therefore use a long Content-Type header, to generate an infinite loop in Apache Commons FileUpload or Apache Tomcat, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer weakness announce impacts software or systems such as Tomcat, Debian, BIG-IP Hardware, TMOS, Fedora, SiteScope, Domino by IBM, QRadar SIEM, Tivoli Storage Manager, WebSphere AS Traditional, ePO, openSUSE, Oracle Communications, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, Unix (platform) ~ not comprehensive, vCenter Server, VMware vSphere.

Our Vigil@nce team determined that the severity of this security alert is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this vulnerability.

Solutions for this threat 

Apache Tomcat: version 7.0.52.
The version 7.0.52 is fixed:
  http://tomcat.apache.org/download-70.cgi

Apache Commons FileUpload: version 1.3.1.
The version 1.3.1 is fixed:
  http://commons.apache.org/proper/commons-fileupload/download_fileupload.cgi

Apache Tomcat: patch for Apache Commons FileUpload.
A patch is available:
  http://svn.apache.org/r1565169

Apache Commons FileUpload: patch.
A patch is available:
  http://svn.apache.org/r1565143

Debian: new libcommons-fileupload-java packages.
New packages are available:
  libcommons-fileupload-java 1.2.2-1+deb6
  libcommons-fileupload-java 1.2.2-1+deb7u2

Debian: new tomcat7 packages.
New packages are available:
  Debian 7: tomcat7 7.0.28-4+deb7u1

F5 BIG-IP: solution for Apache Commons FileUpload.
The solution is indicated in information sources.

Fedora: new apache-commons-fileupload packages.
New packages are available:
  Fedora 19 : apache-commons-fileupload 1.3-5.fc19
  Fedora 20 : apache-commons-fileupload 1.3-5.fc20

HPE SiteScope: patch.
A patch is indicated in information sources.

IBM Domino: patch for Apache Commons FileUpload.
A patch is available:
  http://www-01.ibm.com/support/docview.wss?uid=swg21657963
  http://www.ibm.com/support/docview.wss?uid=swg21663874

IBM QRadar SIEM: fixed versions for Apache Tomcat.
Fixed versions are indicated in information sources.

IBM QRadar SIEM: version 7.2.8 Patch 4.
The version 7.2.8 Patch 4 is fixed:
  https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=Linux&function=fixId&fixids=7.2.8-QRADAR-QRSIEM-20170224202650&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc

IBM TSM Operations Center: solution for Liberty.
The solution is indicated in information sources.

JBoss Enterprise Application Platform: patch for jbossweb.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.2.0
  RHEL 5: jbossweb 7.3.0-2.Final_redhat_2.1.ep6.el5
  RHEL 6: jbossweb 7.3.0-2.Final_redhat_2.1.ep6.el6

Mandriva BS2: new tomcat packages.
New packages are available:
  Mandriva BS2: tomcat 7.0.59-1.mbs2

Mandriva BS: new apache-commons-fileupload packages.
New packages are available:
  Mandriva BS1: apache-commons-fileupload 1.2.2-7.1.mbs1

McAfee ePolicy Orchestrator: version 5.1.1.
The version 5.1.1 is fixed:
  http://www.mcafee.com/us/downloads/downloads.aspx

openSUSE: new jakarta-commons-fileupload packages.
New packages are available:
  openSUSE 12.3: jakarta-commons-fileupload 1.1.1-114.8.1
  openSUSE 13.1: jakarta-commons-fileupload 1.1.1-117.121.1

Oracle Communications: CPU of October 2016.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2188694.1

Red Hat Fuse ESB Enterprise: patch.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise&downloadType=securityPatches&version=7.1.0
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.mq.enterprise&downloadType=securityPatches&version=7.1.0

Red Hat JBoss A-MQ: version 6.1.0.
The version 6.1.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.1.0

Red Hat JBoss BRMS/BPMS: patch.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=6.0.1
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=securityPatches&version=6.0.1

Red Hat JBoss Fuse Service Works: version 6.0.0 roll up patch 1.
The version 6.0.0 roll up patch 1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks&downloadType=securityPatches&version=6.0.0

Red Hat JBoss Fuse: version 6.1.0.
The version 6.1.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.1.0

Red Hat JBoss Operations Network: version 3.2.1.
The version 3.2.1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.2.0

Red Hat JBoss Portal: version 6.2.0.
The version 6.2.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=distributions

Red Hat JBoss Web Server: patch for Tomcat.
A patch is available in information sources.

RHEL 6.5: new tomcat6 packages.
New packages are available:
  RHEL 6: tomcat6 6.0.24-64.el6_5

SUSE LE 11: new jakarta-commons-fileupload packages.
New packages are available:
  SUSE LE 11: jakarta-commons-fileupload 1.1.1-1.37.1

Ubuntu: new libtomcat packages.
New packages are available:
  Ubuntu 13.10: libtomcat7-java 7.0.42-1ubuntu0.1
  Ubuntu 12.10: libtomcat7-java 7.0.30-0ubuntu1.3
  Ubuntu 12.04 LTS: libtomcat6-java 6.0.35-1ubuntu3.4
  Ubuntu 10.04 LTS: libtomcat6-java 6.0.24-2ubuntu1.15

VMware vCenter Operations Management Suite: versions 5.8.2 and 5.7.3.
Versions 5.8.2 and 5.7.3 are fixed:
  https://www.vmware.com/go/download-vcops

VMware vCenter Orchestrator: version 5.5.2.
The version 5.5.2 is fixed:
  https://www.vmware.com/go/download-vsphere

VMware vCenter: version 5.1 Update 3.
The version 5.1 Update 3 is fixed:
  https://www.vmware.com/go/download-vsphere

VMware vCenter: version 5.5 Update 2.
The version 5.5 Update 2 is fixed:
  https://www.vmware.com/go/download-vsphere

WebSphere AS: patch for Apache Commons FileUpload.
A patch is available in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides systems vulnerabilities analysis. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.