JVN#89379547: Apache Commons FileUpload vulnerable to denial-of-service (DoS)

Apache Commons FileUpload provided by the Apache Software Foundation contains a flaw when processing multi-part requests, which may lead to a denial-of-service (DoS).

Impact

Processing a specially crafted request may result in the server’s CPU resources to be exhausted.

Solution

Apply the update
Update to the latest version that contains a fix fot this vulnerability:

• Commons Fileupload 1.3.2
• Tomcat 9.0.0M8
• Tomcat 8.5.3
• Tomcat 8.0.36
• Tomcat 7.0.70
  User of Apache Struts should replace the copy of Commons FileUpload with the fixed version.

Apply a workaround
Until an update can be applied, the following workaround may mitigate the effect of this vulnerability.

• Llimit the maximum size of HTTP requests
  According to the developer, Apache Httpd contains the LimitRequestFieldSize directive and Apache Tomcat contains the maxHttpHeaderSize attribute in their respective configuration files to limit the maximum size for HTTP requests. Also it is stated that limiting the maximum size to 2048 bytes will mitigate this vulnerability. For more details, refer to the information provided by the developer.

Products Affected

• Commons FileUpload 1.3 to 1.3.1
• Commons FileUpload 1.2 to 1.2.2
• Tomcat 9.0.0.M1 to 9.0.0M6
• Tomcat 8.5.0 to 8.5.2
• Tomcat 8.0.0.RC1 to 8.0.35
• Tomcat 7.0.0 to 7.0.69
• Struts 2.5.x and earlier
  According to the developer, the unsupported versions of Commons FileUpload 1.0.x and 1.1.x may also be affected.

The developer also states that Apache Commons FileUpload is widely used for multiple Apache products, therefore, multiple Apache products other than Tomcat and Struts 2 may be affected by this vulnerability.
According to the developer, the following products may be affected.

• Jenkins
• JSPWiki
• JXP
• Lucene-Solr
• onemind-commons
• Spring
• Stapler
• Struts 1
• WSDL2c