Apache Commons FileUpload/Tomcat DoS Vulnerability (JVN#14876762) Advisory and Fix

Critical Vulnerability Information Vulnerability ID: JVN#14876762 Vulnerability Type: Denial of Service (DoS) Severity: Critical Affected Products Commons FileUpload: 1.0 to 1.3 Apache Tomcat: 8.0.0-RC1 to 8.0.1, 7.0.0 to 7.0.50 Description Apache Commons FileUpload has an issue when processing multipart requests, which may cause the process to enter an infinite loop. As of February 12, 2014, attack tools targeting this vulnerability have been confirmed. Impact Processing malformed requests may cause the target system to become unresponsive. Solution Update Software: - Upgrade to the latest versions that include the fix for this vulnerability: - Apache Commons FileUpload 1.3.1 - Apache Tomcat 8.0.3 - Apache Tomcat 7.0.52 - Apache Struts 2.3.16.1 Apply Patch: The corresponding source code with the fix has been released in the developer repository. Temporary Mitigation: Limit the Content-Type header size to less than 4091 bytes. Vendor Status NEC Corporation: Vulnerable, latest update date: 2016/07/11 Vulnerability Analysis Access Requirements: Can be exploited over the internet using packets Authentication: Anonymous or no authentication required (IP address not considered) User Interaction Required: No action required from legitimate users to exploit the vulnerability Exploit Complexity: Requires some expertise and/or luck (e.g., correctly guessing buffer overflow in small space, expertise in Windows function calls) References Includes CVE and JVNDB identifiers, along with other relevant information and historical update records.

Goal Reached Thanks to every supporter — we hit 100%!

Apache Commons FileUpload/Tomcat DoS Vulnerability (JVN#14876762) Advisory and Fix