RE: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability
Thanks for the info Mark. Regards, Chinoy -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Wednesday, June 22, 2016 11:43 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability On 22/06/2016 05:51, Chinoy Gupta wrote: > What about 8.5.x branch? Is that also affected. Yes. 8.5.0 to 8.5.2 are affected. > And I am not able to see this update on Tomcat security page. Any reasons for > that? Oversight. I'll get it added later today unless someone beats me to it. I'll also send out a corrected, Tomcat specific announcement for this rather than the forwarded one from Apache Commons below which has a number of errors in the Tomcat version information: - 8.5.x is not listed (8.5.0 to 8.5.2 are affected) - 6.0.x is listed as affected when it is not - 5.5.x and earlier are listed as may be affected when they are not Mark > > Regards, > Chinoy > > -Original Message- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Tuesday, June 21, 2016 3:23 PM > To: users@tomcat.apache.org; d...@tomcat.apache.org; > annou...@tomcat.apache.org; annou...@apache.org; > secur...@tomcat.apache.org > Subject: Fwd: CVE-2016-3092: Apache Commons Fileupload information > disclosure vulnerability > > > Original Message > From: Jochen Wiedmann <jochen.wiedm...@gmail.com> > Sent: 21 June 2016 10:18:15 BST > To: priv...@commons.apache.org, "secur...@apache.org" > <secur...@apache.org>, Tomcat Security List > <secur...@tomcat.apache.org>, annou...@apache.org, Apache Commons > Developers List <d...@commons.apache.org> > Subject: CVE-2016-3092: Apache Commons Fileupload information > disclosure vulnerability > > CVE-2016-3092: Apache Commons Fileupload information disclosure > vulnerability > > Severity: Moderate > > Vendor: > The Apache Software Foundation > > Versions Affected: > Apache Commons Fileupload 1.3 to 1.3.1 Apache Commons Fileupload 1.2 > to 1.2.2 The unsupported Apache Commons Fileupload 1.0.x, and 1.1.x > may also be affected. > Apache Tomcat 9.x to 9.0.0M6 > Apache Tomcat 8.x to 8.0.35 > Apache Tomcat 7.x to 7.0.69 > Apache Tomcat 6.x > Unsupported versions of Apache Tomcat, like 5.x may also be affected. > Apache Struts 2.5.x, and previous versions, which are distributing Commons > FileUpload 1.3.1, or earlier versions. > > Description: > A malicious client can send file upload requests that cause the HTTP server > using the Apache Commons Fileupload library to become unresponsive, > preventing the server from servicing other requests. > > This flaw is not exploitable beyond causing the code to loop expending CPU > resources. > > > Mitigation: > All users of Apache Commons Fileupload should upgrade to 1.3.2. > All users of Apache Tomcat should upgrade to 9.0.0M8, 8.0.36, or 7.0.70, > respectively. > All users of Apache Struts should replace the copy of Commons FileUpload > (which is distributed as part of Struts) with the fixed version 1.3.2. > > Workaround: > > System administrators should restrict the permitted maximum size of HTTP > request header values (For example, Apache Httpd provides a > LimitRequestFieldSize directive, and Apache Tomcat provides a > maxHttpHeaderSize attribute in their respective configuration files). A > maximum header value size of 2048 bytes would block all dangerous request. > > Example: > File upload requests contain a so-called boundary in the Content-Type header: > > Content-Type: multipart/mixed; > boundary=gc0p4Jq0M2Yt08jU534c0p > > The boundary may be chosen by the request sender. In the case of previous > versions of Apache Commons Fileupload the boundary becomes dangerous, if its > size is close to 4096 bytes. > > Credit: > TERASOLUNA Framework Development Team at the Software Engineering, Research > and Development Headquarter, for detecting this flaw, and reporting it to the > JPCERT/CC, Taki Uchiyama (JPCERT/CC Vulnerability Handling Team) reported > this problem to us. > > References: > https://commons.apache.org/proper/commons-fileupload/security.html > > > > Note: Apache Tomcat 6.x and earlier are NOT affected. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability
On 22/06/2016 05:51, Chinoy Gupta wrote: > What about 8.5.x branch? Is that also affected. Yes. 8.5.0 to 8.5.2 are affected. > And I am not able to see this update on Tomcat security page. Any reasons for > that? Oversight. I'll get it added later today unless someone beats me to it. I'll also send out a corrected, Tomcat specific announcement for this rather than the forwarded one from Apache Commons below which has a number of errors in the Tomcat version information: - 8.5.x is not listed (8.5.0 to 8.5.2 are affected) - 6.0.x is listed as affected when it is not - 5.5.x and earlier are listed as may be affected when they are not Mark > > Regards, > Chinoy > > -Original Message- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Tuesday, June 21, 2016 3:23 PM > To: users@tomcat.apache.org; d...@tomcat.apache.org; > annou...@tomcat.apache.org; annou...@apache.org; secur...@tomcat.apache.org > Subject: Fwd: CVE-2016-3092: Apache Commons Fileupload information disclosure > vulnerability > > > Original Message > From: Jochen Wiedmann <jochen.wiedm...@gmail.com> > Sent: 21 June 2016 10:18:15 BST > To: priv...@commons.apache.org, "secur...@apache.org" <secur...@apache.org>, > Tomcat Security List <secur...@tomcat.apache.org>, annou...@apache.org, > Apache Commons Developers List <d...@commons.apache.org> > Subject: CVE-2016-3092: Apache Commons Fileupload information disclosure > vulnerability > > CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability > > Severity: Moderate > > Vendor: > The Apache Software Foundation > > Versions Affected: > Apache Commons Fileupload 1.3 to 1.3.1 > Apache Commons Fileupload 1.2 to 1.2.2 > The unsupported Apache Commons Fileupload 1.0.x, and 1.1.x may also be > affected. > Apache Tomcat 9.x to 9.0.0M6 > Apache Tomcat 8.x to 8.0.35 > Apache Tomcat 7.x to 7.0.69 > Apache Tomcat 6.x > Unsupported versions of Apache Tomcat, like 5.x may also be affected. > Apache Struts 2.5.x, and previous versions, which are distributing Commons > FileUpload 1.3.1, or earlier versions. > > Description: > A malicious client can send file upload requests that cause the HTTP server > using the Apache Commons Fileupload library to become unresponsive, > preventing the server from servicing other requests. > > This flaw is not exploitable beyond causing the code to loop expending CPU > resources. > > > Mitigation: > All users of Apache Commons Fileupload should upgrade to 1.3.2. > All users of Apache Tomcat should upgrade to 9.0.0M8, 8.0.36, or 7.0.70, > respectively. > All users of Apache Struts should replace the copy of Commons FileUpload > (which is distributed as part of Struts) with the fixed version 1.3.2. > > Workaround: > > System administrators should restrict the permitted maximum size of HTTP > request header values (For example, Apache Httpd provides a > LimitRequestFieldSize directive, and Apache Tomcat provides a > maxHttpHeaderSize attribute in their respective configuration files). A > maximum header value size of 2048 bytes would block all dangerous request. > > Example: > File upload requests contain a so-called boundary in the Content-Type header: > > Content-Type: multipart/mixed; > boundary=gc0p4Jq0M2Yt08jU534c0p > > The boundary may be chosen by the request sender. In the case of previous > versions of Apache Commons Fileupload the boundary becomes dangerous, if its > size is close to 4096 bytes. > > Credit: > TERASOLUNA Framework Development Team at the Software Engineering, Research > and Development Headquarter, for detecting this flaw, and reporting it to the > JPCERT/CC, Taki Uchiyama (JPCERT/CC Vulnerability Handling Team) reported > this problem to us. > > References: > https://commons.apache.org/proper/commons-fileupload/security.html > > > > Note: Apache Tomcat 6.x and earlier are NOT affected. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability
What about 8.5.x branch? Is that also affected. And I am not able to see this update on Tomcat security page. Any reasons for that? Regards, Chinoy -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Tuesday, June 21, 2016 3:23 PM To: users@tomcat.apache.org; d...@tomcat.apache.org; annou...@tomcat.apache.org; annou...@apache.org; secur...@tomcat.apache.org Subject: Fwd: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability Original Message From: Jochen Wiedmann <jochen.wiedm...@gmail.com> Sent: 21 June 2016 10:18:15 BST To: priv...@commons.apache.org, "secur...@apache.org" <secur...@apache.org>, Tomcat Security List <secur...@tomcat.apache.org>, annou...@apache.org, Apache Commons Developers List <d...@commons.apache.org> Subject: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Commons Fileupload 1.3 to 1.3.1 Apache Commons Fileupload 1.2 to 1.2.2 The unsupported Apache Commons Fileupload 1.0.x, and 1.1.x may also be affected. Apache Tomcat 9.x to 9.0.0M6 Apache Tomcat 8.x to 8.0.35 Apache Tomcat 7.x to 7.0.69 Apache Tomcat 6.x Unsupported versions of Apache Tomcat, like 5.x may also be affected. Apache Struts 2.5.x, and previous versions, which are distributing Commons FileUpload 1.3.1, or earlier versions. Description: A malicious client can send file upload requests that cause the HTTP server using the Apache Commons Fileupload library to become unresponsive, preventing the server from servicing other requests. This flaw is not exploitable beyond causing the code to loop expending CPU resources. Mitigation: All users of Apache Commons Fileupload should upgrade to 1.3.2. All users of Apache Tomcat should upgrade to 9.0.0M8, 8.0.36, or 7.0.70, respectively. All users of Apache Struts should replace the copy of Commons FileUpload (which is distributed as part of Struts) with the fixed version 1.3.2. Workaround: System administrators should restrict the permitted maximum size of HTTP request header values (For example, Apache Httpd provides a LimitRequestFieldSize directive, and Apache Tomcat provides a maxHttpHeaderSize attribute in their respective configuration files). A maximum header value size of 2048 bytes would block all dangerous request. Example: File upload requests contain a so-called boundary in the Content-Type header: Content-Type: multipart/mixed; boundary=gc0p4Jq0M2Yt08jU534c0p The boundary may be chosen by the request sender. In the case of previous versions of Apache Commons Fileupload the boundary becomes dangerous, if its size is close to 4096 bytes. Credit: TERASOLUNA Framework Development Team at the Software Engineering, Research and Development Headquarter, for detecting this flaw, and reporting it to the JPCERT/CC, Taki Uchiyama (JPCERT/CC Vulnerability Handling Team) reported this problem to us. References: https://commons.apache.org/proper/commons-fileupload/security.html -- The next time you hear: "Don't reinvent the wheel!" http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org Note: Apache Tomcat 6.x and earlier are NOT affected. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability
Thanks for forwarding. I hope, that everything is alright with the announcement? On Tue, Jun 21, 2016 at 11:53 AM, Mark Thomas <ma...@apache.org> wrote: > > Original Message > From: Jochen Wiedmann <jochen.wiedm...@gmail.com> > Sent: 21 June 2016 10:18:15 BST > To: priv...@commons.apache.org, "secur...@apache.org" <secur...@apache.org>, > Tomcat Security List <secur...@tomcat.apache.org>, annou...@apache.org, > Apache Commons Developers List <d...@commons.apache.org> > Subject: CVE-2016-3092: Apache Commons Fileupload information disclosure > vulnerability > > CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability > > Severity: Moderate > > Vendor: > The Apache Software Foundation > > Versions Affected: > Apache Commons Fileupload 1.3 to 1.3.1 > Apache Commons Fileupload 1.2 to 1.2.2 > The unsupported Apache Commons Fileupload 1.0.x, and 1.1.x may also be > affected. > Apache Tomcat 9.x to 9.0.0M6 > Apache Tomcat 8.x to 8.0.35 > Apache Tomcat 7.x to 7.0.69 > Apache Tomcat 6.x > Unsupported versions of Apache Tomcat, like 5.x may also be affected. > Apache Struts 2.5.x, and previous versions, which are distributing > Commons FileUpload 1.3.1, or earlier versions. > > Description: > A malicious client can send file upload requests that cause the HTTP server > using the Apache Commons Fileupload library to become unresponsive, preventing > the server from servicing other requests. > > This flaw is not exploitable beyond causing the code to loop expending > CPU resources. > > > Mitigation: > All users of Apache Commons Fileupload should upgrade to 1.3.2. > All users of Apache Tomcat should upgrade to 9.0.0M8, 8.0.36, or > 7.0.70, respectively. > All users of Apache Struts should replace the copy of Commons > FileUpload (which is distributed as part of Struts) with the fixed > version 1.3.2. > > Workaround: > > System administrators should restrict the permitted maximum size of HTTP > request > header values (For example, Apache Httpd provides a > LimitRequestFieldSize directive, > and Apache Tomcat provides a maxHttpHeaderSize attribute in their respective > configuration files). A maximum header value size of 2048 bytes would block > all > dangerous request. > > Example: > File upload requests contain a so-called boundary in the Content-Type header: > > Content-Type: multipart/mixed; > boundary=gc0p4Jq0M2Yt08jU534c0p > > The boundary may be chosen by the request sender. In the case of > previous versions > of Apache Commons Fileupload the boundary becomes dangerous, if its > size is close > to 4096 bytes. > > Credit: > TERASOLUNA Framework Development Team at the Software Engineering, > Research and Development Headquarter, for detecting this flaw, and reporting > it to the JPCERT/CC, > Taki Uchiyama (JPCERT/CC Vulnerability Handling Team) reported this > problem to us. > > References: > https://commons.apache.org/proper/commons-fileupload/security.html > > -- > The next time you hear: "Don't reinvent the wheel!" > > http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > > Note: Apache Tomcat 6.x and earlier are NOT affected. > > -- The next time you hear: "Don't reinvent the wheel!" http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Fwd: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability
Original Message From: Jochen Wiedmann <jochen.wiedm...@gmail.com> Sent: 21 June 2016 10:18:15 BST To: priv...@commons.apache.org, "secur...@apache.org" <secur...@apache.org>, Tomcat Security List <secur...@tomcat.apache.org>, annou...@apache.org, Apache Commons Developers List <d...@commons.apache.org> Subject: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Commons Fileupload 1.3 to 1.3.1 Apache Commons Fileupload 1.2 to 1.2.2 The unsupported Apache Commons Fileupload 1.0.x, and 1.1.x may also be affected. Apache Tomcat 9.x to 9.0.0M6 Apache Tomcat 8.x to 8.0.35 Apache Tomcat 7.x to 7.0.69 Apache Tomcat 6.x Unsupported versions of Apache Tomcat, like 5.x may also be affected. Apache Struts 2.5.x, and previous versions, which are distributing Commons FileUpload 1.3.1, or earlier versions. Description: A malicious client can send file upload requests that cause the HTTP server using the Apache Commons Fileupload library to become unresponsive, preventing the server from servicing other requests. This flaw is not exploitable beyond causing the code to loop expending CPU resources. Mitigation: All users of Apache Commons Fileupload should upgrade to 1.3.2. All users of Apache Tomcat should upgrade to 9.0.0M8, 8.0.36, or 7.0.70, respectively. All users of Apache Struts should replace the copy of Commons FileUpload (which is distributed as part of Struts) with the fixed version 1.3.2. Workaround: System administrators should restrict the permitted maximum size of HTTP request header values (For example, Apache Httpd provides a LimitRequestFieldSize directive, and Apache Tomcat provides a maxHttpHeaderSize attribute in their respective configuration files). A maximum header value size of 2048 bytes would block all dangerous request. Example: File upload requests contain a so-called boundary in the Content-Type header: Content-Type: multipart/mixed; boundary=gc0p4Jq0M2Yt08jU534c0p The boundary may be chosen by the request sender. In the case of previous versions of Apache Commons Fileupload the boundary becomes dangerous, if its size is close to 4096 bytes. Credit: TERASOLUNA Framework Development Team at the Software Engineering, Research and Development Headquarter, for detecting this flaw, and reporting it to the JPCERT/CC, Taki Uchiyama (JPCERT/CC Vulnerability Handling Team) reported this problem to us. References: https://commons.apache.org/proper/commons-fileupload/security.html -- The next time you hear: "Don't reinvent the wheel!" http://www.keystonedevelopment.co.uk/wp-content/uploads/2014/10/evolution-of-the-wheel-300x85.jpg - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org Note: Apache Tomcat 6.x and earlier are NOT affected. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
