Thanks for forwarding. I hope, that everything is alright with the announcement?
On Tue, Jun 21, 2016 at 11:53 AM, Mark Thomas <ma...@apache.org> wrote: > > -------- Original Message -------- > From: Jochen Wiedmann <jochen.wiedm...@gmail.com> > Sent: 21 June 2016 10:18:15 BST > To: priv...@commons.apache.org, "secur...@apache.org" <secur...@apache.org>, > Tomcat Security List <secur...@tomcat.apache.org>, annou...@apache.org, > Apache Commons Developers List <d...@commons.apache.org> > Subject: CVE-2016-3092: Apache Commons Fileupload information disclosure > vulnerability > > CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability > > Severity: Moderate > > Vendor: > The Apache Software Foundation > > Versions Affected: > Apache Commons Fileupload 1.3 to 1.3.1 > Apache Commons Fileupload 1.2 to 1.2.2 > The unsupported Apache Commons Fileupload 1.0.x, and 1.1.x may also be > affected. > Apache Tomcat 9.x to 9.0.0M6 > Apache Tomcat 8.x to 8.0.35 > Apache Tomcat 7.x to 7.0.69 > Apache Tomcat 6.x > Unsupported versions of Apache Tomcat, like 5.x may also be affected. > Apache Struts 2.5.x, and previous versions, which are distributing > Commons FileUpload 1.3.1, or earlier versions. > > Description: > A malicious client can send file upload requests that cause the HTTP server > using the Apache Commons Fileupload library to become unresponsive, preventing > the server from servicing other requests. > > This flaw is not exploitable beyond causing the code to loop expending > CPU resources. > > > Mitigation: > All users of Apache Commons Fileupload should upgrade to 1.3.2. > All users of Apache Tomcat should upgrade to 9.0.0M8, 8.0.36, or > 7.0.70, respectively. > All users of Apache Struts should replace the copy of Commons > FileUpload (which is distributed as part of Struts) with the fixed > version 1.3.2. > > Workaround: > > System administrators should restrict the permitted maximum size of HTTP > request > header values (For example, Apache Httpd provides a > LimitRequestFieldSize directive, > and Apache Tomcat provides a maxHttpHeaderSize attribute in their respective > configuration files). A maximum header value size of 2048 bytes would block > all > dangerous request. > > Example: > File upload requests contain a so-called boundary in the Content-Type header: > > Content-Type: multipart/mixed; > boundary=gc0p4Jq0M2Yt08jU534c0p > > The boundary may be chosen by the request sender. In the case of > previous versions > of Apache Commons Fileupload the boundary becomes dangerous, if its > size is close > to 4096 bytes. > > Credit: > TERASOLUNA Framework Development Team at the Software Engineering, > Research and Development Headquarter, for detecting this flaw, and reporting > it to the JPCERT/CC, > Taki Uchiyama (JPCERT/CC Vulnerability Handling Team) reported this > problem to us. > > References: > https://commons.apache.org/proper/commons-fileupload/security.html > > -- > The next time you hear: "Don't reinvent the wheel!" > > http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > > Note: Apache Tomcat 6.x and earlier are NOT affected. > > -- The next time you hear: "Don't reinvent the wheel!" http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
