Thanks for the info Mark. Regards, Chinoy
-----Original Message----- From: Mark Thomas [mailto:ma...@apache.org] Sent: Wednesday, June 22, 2016 11:43 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability On 22/06/2016 05:51, Chinoy Gupta wrote: > What about 8.5.x branch? Is that also affected. Yes. 8.5.0 to 8.5.2 are affected. > And I am not able to see this update on Tomcat security page. Any reasons for > that? Oversight. I'll get it added later today unless someone beats me to it. I'll also send out a corrected, Tomcat specific announcement for this rather than the forwarded one from Apache Commons below which has a number of errors in the Tomcat version information: - 8.5.x is not listed (8.5.0 to 8.5.2 are affected) - 6.0.x is listed as affected when it is not - 5.5.x and earlier are listed as may be affected when they are not Mark > > Regards, > Chinoy > > -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Tuesday, June 21, 2016 3:23 PM > To: users@tomcat.apache.org; d...@tomcat.apache.org; > annou...@tomcat.apache.org; annou...@apache.org; > secur...@tomcat.apache.org > Subject: Fwd: CVE-2016-3092: Apache Commons Fileupload information > disclosure vulnerability > > > -------- Original Message -------- > From: Jochen Wiedmann <jochen.wiedm...@gmail.com> > Sent: 21 June 2016 10:18:15 BST > To: priv...@commons.apache.org, "secur...@apache.org" > <secur...@apache.org>, Tomcat Security List > <secur...@tomcat.apache.org>, annou...@apache.org, Apache Commons > Developers List <d...@commons.apache.org> > Subject: CVE-2016-3092: Apache Commons Fileupload information > disclosure vulnerability > > CVE-2016-3092: Apache Commons Fileupload information disclosure > vulnerability > > Severity: Moderate > > Vendor: > The Apache Software Foundation > > Versions Affected: > Apache Commons Fileupload 1.3 to 1.3.1 Apache Commons Fileupload 1.2 > to 1.2.2 The unsupported Apache Commons Fileupload 1.0.x, and 1.1.x > may also be affected. > Apache Tomcat 9.x to 9.0.0M6 > Apache Tomcat 8.x to 8.0.35 > Apache Tomcat 7.x to 7.0.69 > Apache Tomcat 6.x > Unsupported versions of Apache Tomcat, like 5.x may also be affected. > Apache Struts 2.5.x, and previous versions, which are distributing Commons > FileUpload 1.3.1, or earlier versions. > > Description: > A malicious client can send file upload requests that cause the HTTP server > using the Apache Commons Fileupload library to become unresponsive, > preventing the server from servicing other requests. > > This flaw is not exploitable beyond causing the code to loop expending CPU > resources. > > > Mitigation: > All users of Apache Commons Fileupload should upgrade to 1.3.2. > All users of Apache Tomcat should upgrade to 9.0.0M8, 8.0.36, or 7.0.70, > respectively. > All users of Apache Struts should replace the copy of Commons FileUpload > (which is distributed as part of Struts) with the fixed version 1.3.2. > > Workaround: > > System administrators should restrict the permitted maximum size of HTTP > request header values (For example, Apache Httpd provides a > LimitRequestFieldSize directive, and Apache Tomcat provides a > maxHttpHeaderSize attribute in their respective configuration files). A > maximum header value size of 2048 bytes would block all dangerous request. > > Example: > File upload requests contain a so-called boundary in the Content-Type header: > > Content-Type: multipart/mixed; > boundary=gc0p4Jq0M2Yt08jU534c0p > > The boundary may be chosen by the request sender. In the case of previous > versions of Apache Commons Fileupload the boundary becomes dangerous, if its > size is close to 4096 bytes. > > Credit: > TERASOLUNA Framework Development Team at the Software Engineering, Research > and Development Headquarter, for detecting this flaw, and reporting it to the > JPCERT/CC, Taki Uchiyama (JPCERT/CC Vulnerability Handling Team) reported > this problem to us. > > References: > https://commons.apache.org/proper/commons-fileupload/security.html > > > > Note: Apache Tomcat 6.x and earlier are NOT affected. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
