On 22/06/2016 05:51, Chinoy Gupta wrote: > What about 8.5.x branch? Is that also affected.
Yes. 8.5.0 to 8.5.2 are affected. > And I am not able to see this update on Tomcat security page. Any reasons for > that? Oversight. I'll get it added later today unless someone beats me to it. I'll also send out a corrected, Tomcat specific announcement for this rather than the forwarded one from Apache Commons below which has a number of errors in the Tomcat version information: - 8.5.x is not listed (8.5.0 to 8.5.2 are affected) - 6.0.x is listed as affected when it is not - 5.5.x and earlier are listed as may be affected when they are not Mark > > Regards, > Chinoy > > -----Original Message----- > From: Mark Thomas [mailto:[email protected]] > Sent: Tuesday, June 21, 2016 3:23 PM > To: [email protected]; [email protected]; > [email protected]; [email protected]; [email protected] > Subject: Fwd: CVE-2016-3092: Apache Commons Fileupload information disclosure > vulnerability > > > -------- Original Message -------- > From: Jochen Wiedmann <[email protected]> > Sent: 21 June 2016 10:18:15 BST > To: [email protected], "[email protected]" <[email protected]>, > Tomcat Security List <[email protected]>, [email protected], > Apache Commons Developers List <[email protected]> > Subject: CVE-2016-3092: Apache Commons Fileupload information disclosure > vulnerability > > CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability > > Severity: Moderate > > Vendor: > The Apache Software Foundation > > Versions Affected: > Apache Commons Fileupload 1.3 to 1.3.1 > Apache Commons Fileupload 1.2 to 1.2.2 > The unsupported Apache Commons Fileupload 1.0.x, and 1.1.x may also be > affected. > Apache Tomcat 9.x to 9.0.0M6 > Apache Tomcat 8.x to 8.0.35 > Apache Tomcat 7.x to 7.0.69 > Apache Tomcat 6.x > Unsupported versions of Apache Tomcat, like 5.x may also be affected. > Apache Struts 2.5.x, and previous versions, which are distributing Commons > FileUpload 1.3.1, or earlier versions. > > Description: > A malicious client can send file upload requests that cause the HTTP server > using the Apache Commons Fileupload library to become unresponsive, > preventing the server from servicing other requests. > > This flaw is not exploitable beyond causing the code to loop expending CPU > resources. > > > Mitigation: > All users of Apache Commons Fileupload should upgrade to 1.3.2. > All users of Apache Tomcat should upgrade to 9.0.0M8, 8.0.36, or 7.0.70, > respectively. > All users of Apache Struts should replace the copy of Commons FileUpload > (which is distributed as part of Struts) with the fixed version 1.3.2. > > Workaround: > > System administrators should restrict the permitted maximum size of HTTP > request header values (For example, Apache Httpd provides a > LimitRequestFieldSize directive, and Apache Tomcat provides a > maxHttpHeaderSize attribute in their respective configuration files). A > maximum header value size of 2048 bytes would block all dangerous request. > > Example: > File upload requests contain a so-called boundary in the Content-Type header: > > Content-Type: multipart/mixed; > boundary=gc0p4Jq0M2Yt08jU534c0p > > The boundary may be chosen by the request sender. In the case of previous > versions of Apache Commons Fileupload the boundary becomes dangerous, if its > size is close to 4096 bytes. > > Credit: > TERASOLUNA Framework Development Team at the Software Engineering, Research > and Development Headquarter, for detecting this flaw, and reporting it to the > JPCERT/CC, Taki Uchiyama (JPCERT/CC Vulnerability Handling Team) reported > this problem to us. > > References: > https://commons.apache.org/proper/commons-fileupload/security.html > > > > Note: Apache Tomcat 6.x and earlier are NOT affected. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
