Bug 1062337 (CVE-2014-0050) - CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream
Summary: CVE-2014-0050 apache-commons-fileupload: denial of service due to too-small b...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0050
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20140206,repor...
: 1065228 (view as bug list)
Depends On: 1064673 1064674 1064675 1064677 1064679 1064680 1064681 1064682 1064683 1064684 1064685 1064686 1064687 1066821 1066822 1066823 1066824 1066826 1069388 1071037 1071038 1072510 1072519 1072520 1072521 1075585 1080307
Blocks: 1050743 1058944 1062339 1066791 1072796 1079092 1079801 1082931 1082938 1089812
TreeView+ depends on / blocked
 
Reported: 2014-02-06 17:02 UTC by Vincent Danen
Modified: 2019-06-11 11:10 UTC (History)
54 users (show)

Fixed In Version: tomcat 7.0.52, tomcat 8.0.2, apache-commons-fileupload 1.3.1
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way Apache Commons FileUpload, which is embedded in Tomcat and JBoss Web, handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing Tomcat to enter an infinite loop when processing such an incoming request.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:31:21 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0252 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.1 security update 2014-03-06 00:05:35 UTC
Red Hat Product Errata RHSA-2014:0253 normal SHIPPED_LIVE Moderate: Red Hat JBoss Enterprise Application Platform 6.2.1 security update 2014-03-06 00:05:24 UTC
Red Hat Product Errata RHSA-2014:0373 normal SHIPPED_LIVE Moderate: Apache Commons Fileupload and JBoss Web security update 2014-04-04 01:19:48 UTC
Red Hat Product Errata RHSA-2014:0400 normal SHIPPED_LIVE Moderate: Red Hat JBoss Fuse 6.1.0 update 2014-04-14 18:27:37 UTC
Red Hat Product Errata RHSA-2014:0401 normal SHIPPED_LIVE Moderate: Red Hat JBoss A-MQ 6.1.0 update 2014-04-14 18:07:26 UTC
Red Hat Product Errata RHSA-2014:0429 normal SHIPPED_LIVE Moderate: tomcat6 security update 2014-04-23 22:27:58 UTC
Red Hat Product Errata RHSA-2014:0452 normal SHIPPED_LIVE Important: Fuse ESB Enterprise/Fuse MQ Enterprise 7.1.0 update 2014-04-30 22:49:57 UTC
Red Hat Product Errata RHSA-2014:0459 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse Service Works 6.0.0 security update 2014-04-30 23:00:31 UTC
Red Hat Product Errata RHSA-2014:0473 normal SHIPPED_LIVE Moderate: Red Hat JBoss Operations Network 3.2.1 update 2014-05-06 22:01:24 UTC
Red Hat Product Errata RHSA-2014:0525 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.0.1 tomcat6 security update 2014-05-21 19:45:35 UTC
Red Hat Product Errata RHSA-2014:0526 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.0.1 tomcat7 security update 2014-05-21 20:06:31 UTC
Red Hat Product Errata RHSA-2014:0527 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.0.1 tomcat7 security update 2014-05-21 19:45:31 UTC
Red Hat Product Errata RHSA-2014:0528 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 2.0.1 tomcat6 security update 2014-05-21 19:45:27 UTC
Red Hat Product Errata RHSA-2015:1009 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 19:14:47 UTC

Internal Links: 1065228

Description Vincent Danen 2014-02-06 17:02:05 UTC
A flaw was found in Apache Commons FileUpload.  Specially-crafted input could trigger a denial of service if the buffer used by the MultipartStream was not big enough.

Tomcat 7 includes an embedded copy of Apache Commons FileUpload, so it was possible to craft a malformed Content-Type header for a multipart request which would cause Tomcat to enter an infinite loop.

This has been corrected in Tomcat 7 via commit r1565169 [1].  It has been corrected in Apache Commons FileUpload via commit r1565143 [2].

No new releases have been made with the changes; Tomcat 7.0.51 (not yet released) will correct this flaw.

[1] http://svn.apache.org/viewvc?view=revision&revision=1565169
[2] http://svn.apache.org/viewvc?view=revision&revision=1565143

Comment 1 Vincent Danen 2014-02-06 18:52:21 UTC
As per this posting:

  http://seclists.org/fulldisclosure/2014/Feb/41

it is possible to mitigate this issue by limiting the size of the Content-Type header to less than 4091 bytes.

Comment 8 Arun Babu Neelicattu 2014-02-13 04:58:23 UTC
Created apache-commons-fileupload tracking bugs for this issue:

Affects: fedora-all [bug 1064675]

Comment 9 Arun Babu Neelicattu 2014-02-13 04:58:31 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1064673]

Comment 10 Vincent Danen 2014-02-14 16:47:16 UTC
*** Bug 1065228 has been marked as a duplicate of this bug. ***

Comment 12 Fedora Update System 2014-02-17 21:05:59 UTC
apache-commons-fileupload-1.3-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2014-02-17 21:06:56 UTC
apache-commons-fileupload-1.3-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 21 errata-xmlrpc 2014-03-05 19:06:31 UTC
This issue has been addressed in following products:

  JBEAP 6.2 for RHEL 5
  JBEAP 6.2 for RHEL 6

Via RHSA-2014:0253 https://rhn.redhat.com/errata/RHSA-2014-0253.html

Comment 22 errata-xmlrpc 2014-03-05 19:06:47 UTC
This issue has been addressed in following products:

  Red Hat JBoss Enterprise Application Platform 6.2.1

Via RHSA-2014:0252 https://rhn.redhat.com/errata/RHSA-2014-0252.html

Comment 24 errata-xmlrpc 2014-04-03 21:20:06 UTC
This issue has been addressed in following products:

  Red Hat JBoss BRMS 6.0.1
  Red Hat JBoss BPM Suite 6.0.1

Via RHSA-2014:0373 https://rhn.redhat.com/errata/RHSA-2014-0373.html

Comment 25 Chess Hazlett 2014-04-15 02:36:48 UTC
This issue has been addressed in following products:

  Red Hat JBoss AM-Q 6.1.0

Via RHSA-2014:0401 https://rhn.redhat.com/errata/RHSA-2014-0401.html

Comment 26 Chess Hazlett 2014-04-15 02:39:36 UTC
This issue has been addressed in following products:

  Red Hat JBoss Fuse 6.1.0

Via RHSA-2014:0400 https://rhn.redhat.com/errata/RHSA-2014-0400.html

Comment 27 errata-xmlrpc 2014-04-23 18:30:27 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:0429 https://rhn.redhat.com/errata/RHSA-2014-0429.html

Comment 30 errata-xmlrpc 2014-04-30 18:51:22 UTC
This issue has been addressed in following products:

  Fuse ESB Enterprise/MQ Enterprise 7.1.0 R1 P3

Via RHSA-2014:0452 https://rhn.redhat.com/errata/RHSA-2014-0452.html

Comment 31 errata-xmlrpc 2014-04-30 19:02:21 UTC
This issue has been addressed in following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2014:0459 https://rhn.redhat.com/errata/RHSA-2014-0459.html

Comment 33 errata-xmlrpc 2014-05-06 18:02:31 UTC
This issue has been addressed in following products:

  Red Hat JBoss Operations Network 3.2.1

Via RHSA-2014:0473 https://rhn.redhat.com/errata/RHSA-2014-0473.html

Comment 36 errata-xmlrpc 2014-05-21 15:45:59 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Server 2.0.1

Via RHSA-2014:0528 https://rhn.redhat.com/errata/RHSA-2014-0528.html

Comment 37 errata-xmlrpc 2014-05-21 15:46:56 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Server 2.0.1

Via RHSA-2014:0527 https://rhn.redhat.com/errata/RHSA-2014-0527.html

Comment 38 errata-xmlrpc 2014-05-21 15:48:08 UTC
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5
  JBEWS 2 for RHEL 6

Via RHSA-2014:0525 https://rhn.redhat.com/errata/RHSA-2014-0525.html

Comment 39 errata-xmlrpc 2014-05-21 16:06:44 UTC
This issue has been addressed in following products:

  JBEWS 2 for RHEL 5
  JBEWS 2 for RHEL 6

Via RHSA-2014:0526 https://rhn.redhat.com/errata/RHSA-2014-0526.html

Comment 42 errata-xmlrpc 2015-05-14 15:15:36 UTC
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html


Note You need to log in before you can comment on or make changes to this bug.