Service Notices

All Notices > Security Notices > Apache Commons FileUpload & Tomcat DoS Vulnerability (CVE-2023-24998)

Apache Commons FileUpload & Tomcat DoS Vulnerability (CVE-2023-24998)

Feb 23, 2023 GMT+08:00

I. Overview

Recently, Apache Commons has released an official security advisory, disclosing a DoS vulnerability (CVE-2023-24998) in Apache Commons FileUpload versions earlier than 1.5. Apache Commons FileUpload does not limit the number of request parts to be processed, resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Therefore, Apache Tomcat is also affected by CVE-2023-24998.

Commons FileUpload is a free upload component provided by Apache. If you are an Apache Commons FileUpload user, check your system and implement timely security hardening.

References:

https://commons.apache.org/proper/commons-fileupload/security-reports.html

https://tomcat.apache.org/security-10.html

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache Commons FileUpload 1.0-beta-1 - 1.4

Apache Tomcat 11.0.0-M1

Apache Tomcat 10.1.0-M1 - 10.1.4

Apache Tomcat 9.0.0-M1 - 9.0.70

Apache Tomcat 8.5.0 - 8.5.84

Secure versions:

Apache Commons FileUpload >= 1.5

Apache Tomcat >= 11.0.0-M3

Apache Tomcat >= 10.1.5

Apache Tomcat >= 9.0.71

Apache Tomcat >= 8.5.85

IV. Vulnerability Investigation and Fixing

Vulnerability investigation

1. Apache Commons FileUpload

Apache Commons FileUpload is vulnerable only when both of the following conditions are met:

1) The Commons-FileUpload package of the affected version is used.

2) The number and size of files to be uploaded are not limited when org.apache.commons.fileupload is invoked or when commons-fileupload is re-encapsulated.

2. Apache Tomcat

Apache Tomcat is vulnerable only when both of the following conditions are met:

1) The Tomcat version is affected.

2) The number and size of files to be uploaded are not limited when the org.apache.tomcat.util.http.fileupload function is invoked.

Vulnerability fixing

This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.

https://commons.apache.org/proper/commons-fileupload/download_fileupload.cgi

https://tomcat.apache.org/index.html

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.