Bug 1349468 (CVE-2016-3092) - CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service
Summary: CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in de...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-3092
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1349469 1349470 1349471 1350437 1350438 1350439 1350440 1350441 1350442 1350444 1352009
Blocks: 1349475 1382592 1385444 1428325
TreeView+ depends on / blocked
 
Reported: 2016-06-23 13:54 UTC by Andrej Nemec
Modified: 2021-02-17 03:39 UTC (History)
80 users (show)

Fixed In Version: tomcat 7.0.70, tomcat 8.5.3, tomcat 8.0.36
Doc Type: If docs needed, set a value
Doc Text:
A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:55:45 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2068 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.11 update on RHEL 6 2016-10-17 22:45:13 UTC
Red Hat Product Errata RHSA-2016:2069 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.11 update on RHEL 7 2016-10-17 22:36:30 UTC
Red Hat Product Errata RHSA-2016:2070 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.11 update on RHEL 5 2016-10-17 22:35:09 UTC
Red Hat Product Errata RHSA-2016:2071 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.4.11 update 2016-10-17 22:14:58 UTC
Red Hat Product Errata RHSA-2016:2072 0 normal SHIPPED_LIVE Moderate: jboss-ec2-eap security and enhancement update for EAP 6.4.11 2016-10-17 23:15:20 UTC
Red Hat Product Errata RHSA-2016:2599 0 normal SHIPPED_LIVE Moderate: tomcat security, bug fix, and enhancement update 2016-11-03 12:12:12 UTC
Red Hat Product Errata RHSA-2016:2807 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.2 security update for Tomcat 7 2016-11-18 02:53:13 UTC
Red Hat Product Errata RHSA-2016:2808 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.2 security update for Tomcat 7 2016-11-18 03:03:17 UTC
Red Hat Product Errata RHSA-2017:0455 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 security and enhancement update 2017-03-08 00:06:40 UTC
Red Hat Product Errata RHSA-2017:0456 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 security and enhancement update 2017-03-08 00:06:06 UTC
Red Hat Product Errata RHSA-2017:0457 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server security and enhancement update 2017-03-08 00:05:59 UTC

Description Andrej Nemec 2016-06-23 13:54:56 UTC 
Apache Tomcat uses a package renamed copy of Apache Commons FileUpload to implement the file upload requirements of the Servlet specification. A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file. This caused the file upload process to take several orders of magnitude longer than if the boundary was the typical tens of bytes long.

External references:

http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-7.html

Upstream fixes:

Tomcat 8.5.x:

http://svn.apache.org/viewvc?view=revision&revision=1743722

Tomcat 8.0.x:

http://svn.apache.org/viewvc?view=revision&revision=1743738
Comment 2 Andrej Nemec 2016-06-23 13:57:07 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1349469]
Affects: epel-6 [bug 1349470]
Comment 8 Martin Prpič 2016-07-07 12:38:25 UTC 
EAP 4 and 6 are based on Tomcat 6, as per: https://access.redhat.com/articles/112673 . This issue affects Tomcat 7 and 8 only.
Comment 9 Eiichi Nagai 2016-08-26 07:10:04 UTC 
(In reply to Martin Prpic from comment #8)
> EAP 4 and 6 are based on Tomcat 6, as per:
> https://access.redhat.com/articles/112673 . This issue affects Tomcat 7 and
> 8 only.

EAP 4 and 5 are based on Tomcat 6. EAP 6 is affected this issue.
Comment 10 Fedora Update System 2016-09-01 13:36:26 UTC 
tomcat-8.0.36-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2016-09-01 16:17:57 UTC 
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2016-09-01 16:55:04 UTC 
tomcat-8.0.36-2.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2016-09-01 18:52:37 UTC 
tomcat-8.0.36-2.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2016-09-02 09:20:00 UTC 
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 errata-xmlrpc 2016-10-17 18:15:06 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4.11

Via RHSA-2016:2071 https://rhn.redhat.com/errata/RHSA-2016-2071.html
Comment 16 errata-xmlrpc 2016-10-17 18:37:48 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2016:2070 https://rhn.redhat.com/errata/RHSA-2016-2070.html
Comment 17 errata-xmlrpc 2016-10-17 18:39:10 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2016:2069 https://rhn.redhat.com/errata/RHSA-2016-2069.html
Comment 18 errata-xmlrpc 2016-10-17 18:46:40 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2016:2068 https://rhn.redhat.com/errata/RHSA-2016-2068.html
Comment 19 errata-xmlrpc 2016-10-17 19:15:34 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2016:2072 https://rhn.redhat.com/errata/RHSA-2016-2072.html
Comment 20 errata-xmlrpc 2016-11-03 21:14:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html
Comment 22 errata-xmlrpc 2016-11-17 20:34:56 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:2808 https://rhn.redhat.com/errata/RHSA-2016-2808.html
Comment 23 errata-xmlrpc 2016-11-17 20:38:51 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2016:2807 https://rhn.redhat.com/errata/RHSA-2016-2807.html
Comment 24 errata-xmlrpc 2017-03-07 19:07:13 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.1.0

Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html
Comment 25 errata-xmlrpc 2017-03-07 19:11:46 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456
Comment 26 errata-xmlrpc 2017-03-07 19:16:20 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455
Note You need to log in before you can comment on or make changes to this bug.