Bug 2172298 (CVE-2023-24998)

Summary: CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abenaiss, aileenc, alampare, alazarot, anstephe, asoldano, ataylor, avibelli, bbaranow, bbuckingham, bcourt, ben.argyle, bgeorges, bmaxwell, brian.stansberry, btotty, cdewolf, chazlett, cmoulliard, csutherl, darran.lofthouse, dfreiber, dhanak, dkreling, dosoudil, eglynn, ehelms, ellin, emingora, fjuma, fmongiar, gjospin, gmalinko, hbraun, huwang, ibek, ikanello, ivassile, iweiss, janstey, jburrell, jclere, jjoyce, jnethert, jolee, jpavlik, jpechane, jpoth, jrokos, jross, jschatte, jsherril, jstastny, kverlaen, kyoshida, lbacciot, lgao, lhh, lthon, lzap, mburns, mgarciac, mhulan, mmadzin, mnovotny, mokumar, mosmerov, msochure, msvehla, nmoumoul, nwallace, orabin, pcreech, pdelbell, peholase, pgallagh, pjindal, pmackay, rchan, rguimara, rhcs-maint, rjohnson, rkieley, rogbas, rrajasek, rruss, rstancel, scorneli, shbose, smaestri, spower, szappis, tcunning, tom.jenkinson, vkumar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: commons-fileupload 1.5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Commons FileUpload, where it does not limit the number of parts being processed in a request. This issue may allow an attacker to use a malicious upload or series of uploads to trigger a denial of service. While Red Hat Satellite relies upon Apache Tomcat, it does not directly ship it. Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-03 19:45:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2173752, 2173753, 2173782, 2174302, 2174303, 2174671, 2174672, 2175798, 2211066, 2211067, 2211068, 2211069, 2211070    
Bug Blocks: 2171907    

Description Chess Hazlett 2023-02-21 21:40:00 UTC 
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Comment 3 Tomas Hoger 2023-02-27 15:35:19 UTC 
Upstream security page:
https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5

Upstream commit:
https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17
Comment 5 Chess Hazlett 2023-02-27 21:09:58 UTC 
Created apache-commons-fileupload tracking bugs for this issue:

Affects: epel-7 [bug 2173752]
Affects: fedora-all [bug 2173753]
Comment 6 Chess Hazlett 2023-02-28 00:11:26 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 2173782]
Comment 18 errata-xmlrpc 2023-05-03 14:06:54 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.20.1

Via RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100
Comment 19 Product Security DevOps Team 2023-05-03 19:45:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-24998
Comment 20 errata-xmlrpc 2023-05-24 17:11:02 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.13

Via RHSA-2023:3299 https://access.redhat.com/errata/RHSA-2023:3299
Comment 21 Sandipan Roy 2023-05-30 12:27:13 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-8 [bug 2211066]
Comment 23 errata-xmlrpc 2023-09-04 12:16:20 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:4909 https://access.redhat.com/errata/RHSA-2023:4909
Comment 24 errata-xmlrpc 2023-09-04 12:24:17 UTC 
This issue has been addressed in the following products:

  JWS 5.7.4 release

Via RHSA-2023:4910 https://access.redhat.com/errata/RHSA-2023:4910
Comment 25 Ben 2023-10-12 09:54:46 UTC 
This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9).
Comment 27 errata-xmlrpc 2023-11-07 08:19:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6570 https://access.redhat.com/errata/RHSA-2023:6570
Comment 28 errata-xmlrpc 2023-11-14 15:19:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7065 https://access.redhat.com/errata/RHSA-2023:7065