Bug 2172298 (CVE-2023-24998) - CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts
Summary: CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2023-24998
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2173752 2173753 2173782 2174302 2174303 2174671 2174672 2175798 2211066 2211067 2211068 2211069 2211070
Blocks: 2171907
TreeView+ depends on / blocked
 
Reported: 2023-02-21 21:40 UTC by Chess Hazlett
Modified: 2023-11-14 16:51 UTC (History)
96 users (show)

Fixed In Version: commons-fileupload 1.5
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Commons FileUpload, where it does not limit the number of parts being processed in a request. This issue may allow an attacker to use a malicious upload or series of uploads to trigger a denial of service. While Red Hat Satellite relies upon Apache Tomcat, it does not directly ship it. Tomcat is shipped with Red Hat Enterprise Linux and consumed by the Candlepin component of Satellite. Red Hat Satellite users are therefore advised to check the impact state of Red Hat Enterprise Linux, since any necessary fixes will be distributed through the platform.
Clone Of:
Environment:
Last Closed: 2023-05-03 19:45:43 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:2100 0 None None None 2023-05-03 14:06:59 UTC
Red Hat Product Errata RHSA-2023:3299 0 None None None 2023-05-24 17:11:09 UTC
Red Hat Product Errata RHSA-2023:4909 0 None None None 2023-09-04 12:16:27 UTC
Red Hat Product Errata RHSA-2023:4910 0 None None None 2023-09-04 12:24:24 UTC
Red Hat Product Errata RHSA-2023:6570 0 None None None 2023-11-07 08:19:33 UTC
Red Hat Product Errata RHSA-2023:7065 0 None None None 2023-11-14 15:19:56 UTC

Description Chess Hazlett 2023-02-21 21:40:00 UTC 
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Comment 3 Tomas Hoger 2023-02-27 15:35:19 UTC 
Upstream security page:
https://commons.apache.org/proper/commons-fileupload/security-reports.html#Fixed_in_Apache_Commons_FileUpload_1.5

Upstream commit:
https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17
Comment 5 Chess Hazlett 2023-02-27 21:09:58 UTC 
Created apache-commons-fileupload tracking bugs for this issue:

Affects: epel-7 [bug 2173752]
Affects: fedora-all [bug 2173753]
Comment 6 Chess Hazlett 2023-02-28 00:11:26 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 2173782]
Comment 18 errata-xmlrpc 2023-05-03 14:06:54 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Springboot 3.20.1

Via RHSA-2023:2100 https://access.redhat.com/errata/RHSA-2023:2100
Comment 19 Product Security DevOps Team 2023-05-03 19:45:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-24998
Comment 20 errata-xmlrpc 2023-05-24 17:11:02 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.13

Via RHSA-2023:3299 https://access.redhat.com/errata/RHSA-2023:3299
Comment 21 Sandipan Roy 2023-05-30 12:27:13 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-8 [bug 2211066]
Comment 23 errata-xmlrpc 2023-09-04 12:16:20 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:4909 https://access.redhat.com/errata/RHSA-2023:4909
Comment 24 errata-xmlrpc 2023-09-04 12:24:17 UTC 
This issue has been addressed in the following products:

  JWS 5.7.4 release

Via RHSA-2023:4910 https://access.redhat.com/errata/RHSA-2023:4910
Comment 25 Ben 2023-10-12 09:54:46 UTC 
This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9).
Comment 27 errata-xmlrpc 2023-11-07 08:19:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6570 https://access.redhat.com/errata/RHSA-2023:6570
Comment 28 errata-xmlrpc 2023-11-14 15:19:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7065 https://access.redhat.com/errata/RHSA-2023:7065
Note You need to log in before you can comment on or make changes to this bug.