Bug 1349468 (CVE-2016-3092)
| Summary: | CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aileenc, alee, asantos, aszczucz, bbaranow, bdawidow, bmaxwell, ccoleman, cdewolf, chazlett, coolsvap, csutherl, dandread, darran.lofthouse, dedgar, dmcphers, dosoudil, enagai, epp-bugs, fnasser, foreplaygimmick, gvarsami, gzaronik, hhorak, huwang, ivan.afonichev, jason.greene, java-sig-commits, jawilson, jboss-set, jclere, jcoleman, jdg-bugs, jdoyle, jgoulding, jialiu, joelsmith, jokerman, jolee, jorton, jpallich, jshepherd, kanderso, kconner, kfujii, krzysztof.daniel, ldimaggi, lgao, lmeyer, mbabacek, mbaluch, miburman, mizdebsk, mmccomas, mnewsome, mweiler, myarboro, nobody+bgollahe, nwallace, ohudlick, pcheung, pgier, psakar, pslavice, rnetuka, rsvoboda, rwagner, rzima, sardella, soa-p-jira, spinder, tanabe.yoshimasa, tcunning, theute, tkirby, ttarrant, twalsh, vhalbert, vtunka, weli |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | tomcat 7.0.70, tomcat 8.5.3, tomcat 8.0.36 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:55:45 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1349469, 1349470, 1349471, 1350437, 1350438, 1350439, 1350440, 1350441, 1350442, 1350444, 1352009 | ||
| Bug Blocks: | 1349475, 1382592, 1385444, 1428325 | ||
|
Description
Andrej Nemec
2016-06-23 13:54:56 UTC
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1349469] Affects: epel-6 [bug 1349470] EAP 4 and 6 are based on Tomcat 6, as per: https://access.redhat.com/articles/112673 . This issue affects Tomcat 7 and 8 only. (In reply to Martin Prpic from comment #8) > EAP 4 and 6 are based on Tomcat 6, as per: > https://access.redhat.com/articles/112673 . This issue affects Tomcat 7 and > 8 only. EAP 4 and 5 are based on Tomcat 6. EAP 6 is affected this issue. tomcat-8.0.36-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report. tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. tomcat-8.0.36-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. tomcat-8.0.36-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4.11 Via RHSA-2016:2071 https://rhn.redhat.com/errata/RHSA-2016-2071.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2016:2070 https://rhn.redhat.com/errata/RHSA-2016-2070.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2016:2069 https://rhn.redhat.com/errata/RHSA-2016-2069.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2016:2068 https://rhn.redhat.com/errata/RHSA-2016-2068.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2016:2072 https://rhn.redhat.com/errata/RHSA-2016-2072.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html This issue has been addressed in the following products: Via RHSA-2016:2808 https://rhn.redhat.com/errata/RHSA-2016-2808.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2016:2807 https://rhn.redhat.com/errata/RHSA-2016-2807.html This issue has been addressed in the following products: Red Hat JBoss Web Server 3.1.0 Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456 This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455 |