Apache Commons FileUpload & Tomcat DoS Vulnerability (CVE-2023-24998)
Feb 23, 2023 GMT+08:00
Recently, Apache Commons has released an official security advisory, disclosing a DoS vulnerability (CVE-2023-24998) in Apache Commons FileUpload versions earlier than 1.5. Apache Commons FileUpload does not limit the number of request parts to be processed, resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Therefore, Apache Tomcat is also affected by CVE-2023-24998.
Commons FileUpload is a free upload component provided by Apache. If you are an Apache Commons FileUpload user, check your system and implement timely security hardening.
(Severity: low, moderate, important, and critical)
III. Affected Products
Apache Commons FileUpload 1.0-beta-1 - 1.4
Apache Tomcat 11.0.0-M1
Apache Tomcat 10.1.0-M1 - 10.1.4
Apache Tomcat 9.0.0-M1 - 9.0.70
Apache Tomcat 8.5.0 - 8.5.84
Apache Commons FileUpload >= 1.5
Apache Tomcat >= 11.0.0-M3
Apache Tomcat >= 10.1.5
Apache Tomcat >= 9.0.71
Apache Tomcat >= 8.5.85
IV. Vulnerability Investigation and Fixing
1. Apache Commons FileUpload
Apache Commons FileUpload is vulnerable only when both of the following conditions are met:
1) The Commons-FileUpload package of the affected version is used.
2) The number and size of files to be uploaded are not limited when org.apache.commons.fileupload is invoked or when commons-fileupload is re-encapsulated.
2. Apache Tomcat
Apache Tomcat is vulnerable only when both of the following conditions are met:
1) The Tomcat version is affected.
2) The number and size of files to be uploaded are not limited when the org.apache.tomcat.util.http.fileupload function is invoked.
This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.