Service Notices
Apache Commons FileUpload & Tomcat DoS Vulnerability (CVE-2023-24998)
Feb 23, 2023 GMT+08:00
I. Overview
Recently, Apache Commons has released an official security advisory, disclosing a DoS vulnerability (CVE-2023-24998) in Apache Commons FileUpload versions earlier than 1.5. Apache Commons FileUpload does not limit the number of request parts to be processed, resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Therefore, Apache Tomcat is also affected by CVE-2023-24998.
Commons FileUpload is a free upload component provided by Apache. If you are an Apache Commons FileUpload user, check your system and implement timely security hardening.
References:
https://commons.apache.org/proper/commons-fileupload/security-reports.html
https://tomcat.apache.org/security-10.html
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
Apache Commons FileUpload 1.0-beta-1 - 1.4
Apache Tomcat 11.0.0-M1
Apache Tomcat 10.1.0-M1 - 10.1.4
Apache Tomcat 9.0.0-M1 - 9.0.70
Apache Tomcat 8.5.0 - 8.5.84
Secure versions:
Apache Commons FileUpload >= 1.5
Apache Tomcat >= 11.0.0-M3
Apache Tomcat >= 10.1.5
Apache Tomcat >= 9.0.71
Apache Tomcat >= 8.5.85
IV. Vulnerability Investigation and Fixing
Vulnerability investigation
1. Apache Commons FileUpload
Apache Commons FileUpload is vulnerable only when both of the following conditions are met:
1) The Commons-FileUpload package of the affected version is used.
2) The number and size of files to be uploaded are not limited when org.apache.commons.fileupload is invoked or when commons-fileupload is re-encapsulated.
2. Apache Tomcat
Apache Tomcat is vulnerable only when both of the following conditions are met:
1) The Tomcat version is affected.
2) The number and size of files to be uploaded are not limited when the org.apache.tomcat.util.http.fileupload function is invoked.
Vulnerability fixing
This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.
https://commons.apache.org/proper/commons-fileupload/download_fileupload.cgi
https://tomcat.apache.org/index.html
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.