Bug 1062337 - (CVE-2014-0050) CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream
CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small b...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20140206,repor...
: Security
: 1065228 (view as bug list)
Depends On: 1064673 1064674 1064675 1064677 1064679 1064680 1064681 1064682 1064683 1064684 1064685 1064686 1064687 1066821 1066822 1066823 1066824 1066826 1069388 1071037 1071038 1072510 1072519 1072520 1072521 1075585 1080307
Blocks: 1050743 1058944 1062339 1066791 1072796 1079092 1079801 1082931 1082938 1089812
  Show dependency treegraph
 
Reported: 2014-02-06 12:02 EST by Vincent Danen
Modified: 2016-04-11 10:13 EDT (History)
57 users (show)

See Also:
Fixed In Version: tomcat 7.0.52, tomcat 8.0.2, apache-commons-fileupload 1.3.1
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way Apache Commons FileUpload, which is embedded in Tomcat and JBoss Web, handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing Tomcat to enter an infinite loop when processing such an incoming request.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2014-02-06 12:02:05 EST
A flaw was found in Apache Commons FileUpload.  Specially-crafted input could trigger a denial of service if the buffer used by the MultipartStream was not big enough.

Tomcat 7 includes an embedded copy of Apache Commons FileUpload, so it was possible to craft a malformed Content-Type header for a multipart request which would cause Tomcat to enter an infinite loop.

This has been corrected in Tomcat 7 via commit r1565169 [1].  It has been corrected in Apache Commons FileUpload via commit r1565143 [2].

No new releases have been made with the changes; Tomcat 7.0.51 (not yet released) will correct this flaw.

[1] http://svn.apache.org/viewvc?view=revision&revision=1565169
[2] http://svn.apache.org/viewvc?view=revision&revision=1565143
Comment 1 Vincent Danen 2014-02-06 13:52:21 EST
As per this posting:

  http://seclists.org/fulldisclosure/2014/Feb/41

it is possible to mitigate this issue by limiting the size of the Content-Type header to less than 4091 bytes.
Comment 8 Arun Babu Neelicattu 2014-02-12 23:58:23 EST
Created apache-commons-fileupload tracking bugs for this issue:

Affects: fedora-all [bug 1064675]
Comment 9 Arun Babu Neelicattu 2014-02-12 23:58:31 EST
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1064673]
Comment 10 Vincent Danen 2014-02-14 11:47:16 EST
*** Bug 1065228 has been marked as a duplicate of this bug. ***
Comment 12 Fedora Update System 2014-02-17 16:05:59 EST
apache-commons-fileupload-1.3-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2014-02-17 16:06:56 EST
apache-commons-fileupload-1.3-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 21 errata-xmlrpc 2014-03-05 14:06:31 EST
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 5
  JBEAP 6.2 for RHEL 6

Via RHSA-2014:0253 https://rhn.redhat.com/errata/RHSA-2014-0253.html
Comment 22 errata-xmlrpc 2014-03-05 14:06:47 EST
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.1

Via RHSA-2014:0252 https://rhn.redhat.com/errata/RHSA-2014-0252.html
Comment 24 errata-xmlrpc 2014-04-03 17:20:06 EDT
This issue has been addressed in following products:

  Red Hat JBoss BRMS 6.0.1
  Red Hat JBoss BPM Suite 6.0.1

Via RHSA-2014:0373 https://rhn.redhat.com/errata/RHSA-2014-0373.html
Comment 25 Chess Hazlett 2014-04-14 22:36:48 EDT
This issue has been addressed in following products:

  Red Hat JBoss AM-Q 6.1.0

Via RHSA-2014:0401 https://rhn.redhat.com/errata/RHSA-2014-0401.html
Comment 26 Chess Hazlett 2014-04-14 22:39:36 EDT
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.1.0

Via RHSA-2014:0400 https://rhn.redhat.com/errata/RHSA-2014-0400.html
Comment 27 errata-xmlrpc 2014-04-23 14:30:27 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0429 https://rhn.redhat.com/errata/RHSA-2014-0429.html
Comment 30 errata-xmlrpc 2014-04-30 14:51:22 EDT
This issue has been addressed in following products:

  Fuse ESB Enterprise/MQ Enterprise 7.1.0 R1 P3

Via RHSA-2014:0452 https://rhn.redhat.com/errata/RHSA-2014-0452.html
Comment 31 errata-xmlrpc 2014-04-30 15:02:21 EDT
This issue has been addressed in following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2014:0459 https://rhn.redhat.com/errata/RHSA-2014-0459.html
Comment 33 errata-xmlrpc 2014-05-06 14:02:31 EDT
This issue has been addressed in following products:

  Red Hat JBoss Operations Network 3.2.1

Via RHSA-2014:0473 https://rhn.redhat.com/errata/RHSA-2014-0473.html
Comment 36 errata-xmlrpc 2014-05-21 11:45:59 EDT
This issue has been addressed in following products:

  JBoss Enterprise Web Server 2.0.1

Via RHSA-2014:0528 https://rhn.redhat.com/errata/RHSA-2014-0528.html
Comment 37 errata-xmlrpc 2014-05-21 11:46:56 EDT
This issue has been addressed in following products:

  JBoss Enterprise Web Server 2.0.1

Via RHSA-2014:0527 https://rhn.redhat.com/errata/RHSA-2014-0527.html
Comment 38 errata-xmlrpc 2014-05-21 11:48:08 EDT
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5
  JBEWS 2 for RHEL 6

Via RHSA-2014:0525 https://rhn.redhat.com/errata/RHSA-2014-0525.html
Comment 39 errata-xmlrpc 2014-05-21 12:06:44 EDT
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5
  JBEWS 2 for RHEL 6

Via RHSA-2014:0526 https://rhn.redhat.com/errata/RHSA-2014-0526.html
Comment 42 errata-xmlrpc 2015-05-14 11:15:36 EDT
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html

Note You need to log in before you can comment on or make changes to this bug.