The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

security alert CVE-2016-3092

Apache Tomcat: denial of service via FileUpload

Synthesis of the vulnerability

An attacker can send files of a specially chosen size to Apache Tomcat, in order to overload the server.
Severity of this bulletin: 2/4.
Creation date: 22/06/2016.
Références of this threat: 1987864, 1989628, 1990172, 1991866, 1991867, 1991870, 1991871, 1991875, 1991876, 1991878, 1991880, 1991882, 1991884, 1991885, 1991886, 1991887, 1991889, 1991892, 1991894, 1991896, 1991902, 1991903, 1991951, 1991955, 1991959, 1991960, 1991961, 1992835, 1995388, 1995793, 2000095, 2000544, 2001563, 2012109, 2015814, 7014463, bulletinjul2016, c05324759, cpuapr2017, cpuapr2018, cpujul2017, cpujul2018, cpuoct2017, CVE-2016-3092, DLA-528-1, DLA-529-1, DSA-3609-1, DSA-3611-1, DSA-3614-1, FEDORA-2016-0a4dccdd23, FEDORA-2016-2b0c16fd82, HPSBUX03665, openSUSE-SU-2016:2252-1, RHSA-2016:2068-01, RHSA-2016:2069-01, RHSA-2016:2070-01, RHSA-2016:2071-01, RHSA-2016:2072-01, RHSA-2016:2599-02, RHSA-2016:2807-01, RHSA-2016:2808-01, RHSA-2017:0455-01, RHSA-2017:0456-01, RHSA-2017:0457-01, SUSE-SU-2017:1660-1, USN-3024-1, USN-3027-1, VIGILANCE-VUL-19953.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Apache Tomcat product uses a slightly fork of the Apache Commons FileUpload library.

This library is used to receive files from an HTTP client to the server. However, when the file size is such that the size of the MIME envelope (file content + MIME headers) is equal to the size of the file reading buffer, the transfer requires an extremely long duration.

An attacker can therefore send files of a specially chosen size to Apache Tomcat, in order to overload the server.
Full Vigil@nce bulletin... (Free trial)

This security weakness impacts software or systems such as Tomcat, Debian, Fedora, HP-UX, Domino, QRadar SIEM, Tivoli Storage Manager, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, IBM WebSphere ESB, WebSphere MQ, MariaDB ~ precise, MySQL Community, MySQL Enterprise, openSUSE Leap, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Solaris, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, Percona Server, Puppet, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this threat bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this threat.

Solutions for this threat

Apache Tomcat: version 7.0.70.
The version 7.0.70 is fixed:
  http://tomcat.apache.org/download-70.cgi

Apache Tomcat: version 8.0.36.
The version 8.0.36 is fixed:
  http://tomcat.apache.org/download-80.cgi

Apache Tomcat: version 8.5.3.
The version 8.5.3 is fixed:
  http://tomcat.apache.org/download-80.cgi

Debian: new libcommons-fileupload-java packages.
New packages are available:
  Debian 8: libcommons-fileupload-java 1.3.1-1+deb8u1

Debian: new tomcat7 packages.
New packages are available:
  Debian 8: tomcat7 7.0.56-3+deb8u3
  Debian 7: tomcat7 7.0.28-4+deb7u5, libcommons-fileupload-java 1.2.2-1+deb7u3

Debian: new tomcat8 packages.
New packages are available:
  Debian 8: tomcat8 8.0.14-1+deb8u2

Fedora: new tomcat packages.
New packages are available:
  Fedora 23: tomcat 8.0.36-2.fc23
  Fedora 24: tomcat 8.0.36-2.fc24

HP-UX Tomcat: version 7.0.70.01.
The version 7.0.70.01 is fixed:
  https://h20392.www2.hpe.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXWSATW501

IBM BigFix Remote Control: solution.
The solution is indicated in information sources.
See also the bulletin VIGILANCE-SOL-52145.

IBM Cognos Analytics: solution.
The solution is indicated in information sources.

IBM Domino: fixed versions for iNotes.
The following versions are fixed:
  Domino 9.0.1 Fix Pack 7 Interim Fix 1: http://www.ibm.com/support/docview.wss?uid=swg21657963
  Domino 8.5.3 Fix Pack 6 Interim Fix 15: http://www.ibm.com/support/docview.wss?uid=swg21663874

IBM Domino: fixed versions for Tomcat.
Fixed versions are indicated in information sources.

IBM QRadar SIEM: fixed versions for Apache Tomcat.
Fixed versions are indicated in information sources.

IBM Tivoli Storage Manager: patch.
A patch is available:
  TSM 7.1: http://www.ibm.com/support/docview.wss?uid=swg24042520
  TSM 6.4: http://www.ibm.com/support/docview.wss?uid=swg24041370
  TSM 6.3: http://www.ibm.com/support/docview.wss?uid=swg24037601

IBM Tivoli System Automation Application Manager: solution for WebSphere AS.
The solution is indicated in information sources.

IBM Tivoli Workload Scheduler: solution for WebSphere AS.
The solution is indicated in information sources.

IBM WebSphere Application Server: version 7.0.0.43.
The version 7.0.0.43 is fixed.

IBM WebSphere MQ File Transfer Edition: solution for Apache Commons Fileupload.
The solution is indicated in information sources.

IBM WebSphere MQ: solution for Apache Commons FileUpload.
The solution is indicated in information sources.

MySQL: version 5.5.55.
The version 5.5.55 is fixed.

MySQL: version 5.6.36.
The version 5.6.36 is fixed.

MySQL: version 5.7.18.
The version 5.7.18 is fixed.

openSUSE Leap 42.1: new tomcat packages.
New packages are available:
  openSUSE Leap 42.1: tomcat 8.0.32-8.1

Oracle Communications: CPU of April 2017.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2247453.1
  https://support.oracle.com/rs?type=doc&id=2248470.1
  https://support.oracle.com/rs?type=doc&id=2251718.1
  https://support.oracle.com/rs?type=doc&id=2245233.1
  https://support.oracle.com/rs?type=doc&id=2248526.1
  https://support.oracle.com/rs?type=doc&id=2250567.1

Oracle Communications: CPU of July 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2410237.1
  https://support.oracle.com/rs?type=doc&id=2406191.1
  https://support.oracle.com/rs?type=doc&id=2410234.1
  https://support.oracle.com/rs?type=doc&id=2408211.1
  https://support.oracle.com/rs?type=doc&id=2406689.1
  https://support.oracle.com/rs?type=doc&id=2408212.1
  https://support.oracle.com/rs?type=doc&id=2410243.1
  https://support.oracle.com/rs?type=doc&id=2410198.1

Oracle Fusion Middleware: CPU of April 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2353306.1

Oracle Fusion Middleware: CPU of July 2017.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2261562.1

Oracle Fusion Middleware: CPU of October 2017.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2296870.1

Puppet Enterprise: versions 2018.1.5 and 2019.0.1.
Versions 2018.1.5 and 2019.0.1 are fixed:
  https://puppet.com/

Red Hat JBoss Enterprise Application Platform: version 6.4.11.
The version 6.4.11 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.4

Red Hat JBoss Web Server: version 2.1.2.
The version 2.1.2 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=distributions&version=2.1.2

Red Hat JBoss Web Server: version 3.1.0.
The version 3.1.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=webserver&version=3.1.0

RHEL 7: new tomcat packages.
New packages are available:
  RHEL 7: tomcat 7.0.69-10.el7

Solaris: patch for third party software of July 2016 v2.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

SUSE LE 12 RTM: new tomcat packages.
New packages are available:
  SUSE LE 12 RTM: tomcat 7.0.78-7.13.4

Ubuntu: new tomcat8 packages.
New packages are available:
  Ubuntu 16.04 LTS: tomcat8 8.0.32-1ubuntu1.1

Ubuntu: new tomcat packages.
New packages are available:
  Ubuntu 16.04 LTS: libtomcat7-java 7.0.68-1ubuntu0.1
  Ubuntu 15.10: libtomcat7-java 7.0.64-1ubuntu0.3
  Ubuntu 14.04 LTS: libtomcat7-java 7.0.52-1ubuntu0.6
  Ubuntu 12.04 LTS: libtomcat6-java 6.0.35-1ubuntu3.7

WebSphere AS: solution for Apache Commons FileUpload.
The solution is indicated in information sources.

WebSphere Enterprise Service Bus: solution for WebSphere AS.
The solution is indicated in information sources.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a software vulnerability announce. The technology watch team tracks security threats targeting the computer system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.