www.belgium.be Logo of the federal government

WARNING: A VULNERABILITY IN APACHE TOMCAT-FileUpload COULD LEAD TO DENIAL OF SERVICE (DoS) ATTACK

Reference: 
Advisory #2023-20
Version: 
1.0
Affected software: 
Apache Commons FileUpload before 1.5
Apache Tomcat 11.0.0-M1
Apache Tomcat 10.1.0-M1 to 10.1.4
Apache Tomcat 9.0.0-M1 to 9.0.70
Apache Tomcat 8.5.0 to 8.5.84
Type: 
Denial of Service (DoS)
CVE/CVSS: 

CVE-2023-24998

Sources

https://nvd.nist.gov/vuln/detail/CVE-2023-24998

Risks

Successful exploitation of CVE-2023-24998 could allow a remote attacker to initiate a series of uploads and to perform Denial of Service (DoS) attack.

CVE-2023-24998 has an impact on availability of the CIA triad (Confidentiality, Integrity, Availability)

Tomcat versions 11.0.0-M3, 10.1.5, 9.0.71, and 8.5.85 are already using version 1.5 of the library, but applications using Tomcat 11.0.0-M1,10.1.0-M1 to 10.1.4, 9.0.0-M1 to 9.0.70, and 8.5.0 to 8.5.84 need to update the Apache Commons FileUpload library.

Description

Apache Tomcat implements a package that is a renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification.

The denial-of-service vulnerability affects the Apache Commons FileUpload function before version 1.5 and Apache Tomcat, because the function doesn't limit the number request parts to be processed, which allows an attacker to launch a DoS with a malicious upload or series of uploads.

Tomcat versions 11.0.0-M3, 10.1.5, 9.0.71, and 8.5.85 are already using version 1.5 of the library, but applications using Tomcat 11.0.0-M1,10.1.0-M1 to 10.1.4, 9.0.0-M1 to 9.0.70, and 8.5.0 to 8.5.84 need to update the Apache Commons FileUpload library.

Recommended Actions

The CCB recommends administrators to upgrade to Apache Commons FileUpload 1.5 or later released by the vendor.

References

https://commons.apache.org/proper/commons-fileupload/security-reports.html
https://seclists.org/oss-sec/2023/q1/108
https://securityonline.info/cve-2023-24998-apache-commons-fileupload-and-tomcat-dos-flaw/