Skip to Main Content

Hitachi Logo
earth icon
    mail icon Contact Us
    Hitachi Global
    Hitachi Global

    HIRT-PUB14003: Apache Commons FileUpload vulnerable to denial-of-service (DoS)

    (JVN#14876762, JVNDB-2014-000017, CVE-2014-0050)

    Last Updated: February 19, 2014

    Japanese

    HIRT reports the vulnerabilities to JVN in line with the framework of vulnerability handling - Information Security Early Warning Partnership.

    Vulnerability Report to JVN (Japan Vulnerability Notes)

    1. Overview

    Apache Commons FileUpload contains a denial-of-service (DoS) vulnerability.

    CVSS Severity

     Base Metrics: 5.0
      Access Vector: Network
      Access Complexity: Low
      Authentication: None
      Confidentiality Impact: None
      Integrity Impact: None
      Availability Impact: Partial

     

     Temporal Metrics 3.9 (February 12, 2014)
      Exploitablity: Proof of concept code
      Remediation Level: Official fix
      Report Confidence: Confirmed

    http://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C)

    2. Affected Systems

    + Apache Commons FileUpload 1.0 to 1.3
    + Apache Tomcat 8.0.0-RC1 to 8.0.1
    + Apache Tomcat 7.0.0 to 7.0.50
    + Products that use Apache Commons FileUpload

     

    Apache Tomcat 7 and Apache Tomcat 8 use a packaged renamed copy of Apache Commons FileUpload to implement the requirement of the Servlet 3.0 and later specifications to support the processing of mime-multipart requests. Tomcat 7 and 8 are therefore affected by this issue. While Tomcat 6 uses Commons FileUpload as part of the Manager application, access to that functionality is limited to authenticated administrators.

    3. Impact

    Processing a malformed HTTP request may cause the condition that the target system does not respond.

    page top

    4. Solution

    Update the Software

     

    CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS
    http://mail-archives.us.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E

     

    FileUpload - Release Notes
    http://commons.apache.org/proper/commons-fileupload/changes-report.html#a1.3.1

     

    Apache Tomcat 7 vulnerabilities
    http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.51

     

    Apache Tomcat 8 vulnerabilities
    http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.2

    5. Vulnerability report timeline

    This issue was reported responsibly to the Apache Software Foundation via JPCERT/CC (Information Security Early Warning Partnership) but an error in addressing an e-mail led to the unintended early disclosure of this issue [*1]. Apache Software Foundation decided to publish the Security advisory as soon as possible [*2]. Also JPCERT/CC (coordination body), IPA (receipt body) and HIRT (discoverer) coordinated the public release (February 10, 2014) at JVN.

     

    [2013-11-21] Confirmation of this vulnerability in Apache Commons FileUpload.
    [2013-12-02] Vulnerability reported JVN in line with the Information Security Early Warning Partnership (Figure 1).
    [2013-12-04] Receiving questions of "reproduction of the vulnerable condition" and "technical detail" from IPA (receipt body).
    [2013-12-06] Sending the answer of "reproduction of the vulnerable condition" to IPA (receipt body).
    [2013-12-09] Sending the answer of "technical detail" to IPA (receipt body).
    [2013-12-25] Acceptance of this vulnerability reporting by IPA (receipt body).
    [2014-01-09] Receiving an initial date in reckoning of this vulnerability reporting from IPA (receipt body).
    [2014-02-06 01:45+00:00] cc'd vulnerability related information to org.apache.commons.dev [*1].
    [2014-02-06 11:37+00:00] Security advisory public by Apache Software Foundation [*2].
    [2014-02-07] Coordination of public release at JVN with JPCERT/CC (coordination body) and IPA (receipt body).
    [2014-02-10] Public release at JVN [*3].

     

    *1)
    Subject: Re: ***UNCHECKED*** Re: VN: JVN#14876762 / TN: JPCERT#90213603
    http://markmail.org/message/kpfl7ax4el2owb3o
    http://markmail.org/message/sbojy5cn74f2ty32
    *2)
    CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS
    http://mail-archives.us.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E
    *3)
    JVN#14876762: Apache Commons FileUpload vulnerable to denial-of-service (DoS)
    http://jvn.jp/en/jp/JVN14876762/
    Figure 1. Framework overview of the Information Security Early Warning Partnership. Figure 1. Framework overview of the Information Security Early Warning Partnership.
    page top

    6. References

    6.1 Vulnerability Enumeration

    JVN#14876762: Apache Commons FileUpload vulnerable to denial-of-service (DoS) (2014-02-10)
    http://jvn.jp/en/jp/JVN14876762/

    JVNDB-2014-000017: Apache Commons FileUpload vulnerable to denial-of-service (DoS) (2014-02-10)
    http://jvndb.jvn.jp/jvndb/JVNDB-2014-000017

    CVE-2014-0050
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050

    6.2 Other

    Information Security Early Warning Partnership
    http://www.ipa.go.jp/security/english/quarterlyrep_vuln.html#Partnership

    7. Update history

    February 19, 2014

    • This webpage was newly created and published.

    Masato Terada (HIRT), Akiko Numata (HIRT) and Naoko Ohnishi (HIRT)