WARNING: A VULNERABILITY IN APACHE TOMCAT-FileUpload COULD LEAD TO DENIAL OF SERVICE (DoS) ATTACK
CVE-2023-24998
Sources
https://nvd.nist.gov/vuln/detail/CVE-2023-24998
Risques
Successful exploitation of CVE-2023-24998 could allow a remote attacker to initiate a series of uploads and to perform Denial of Service (DoS) attack.
CVE-2023-24998 has an impact on availability of the CIA triad (Confidentiality, Integrity, Availability)
Tomcat versions 11.0.0-M3, 10.1.5, 9.0.71, and 8.5.85 are already using version 1.5 of the library, but applications using Tomcat 11.0.0-M1,10.1.0-M1 to 10.1.4, 9.0.0-M1 to 9.0.70, and 8.5.0 to 8.5.84 need to update the Apache Commons FileUpload library.
Description
Apache Tomcat implements a package that is a renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification.
The denial-of-service vulnerability affects the Apache Commons FileUpload function before version 1.5 and Apache Tomcat, because the function doesn't limit the number request parts to be processed, which allows an attacker to launch a DoS with a malicious upload or series of uploads.
Tomcat versions 11.0.0-M3, 10.1.5, 9.0.71, and 8.5.85 are already using version 1.5 of the library, but applications using Tomcat 11.0.0-M1,10.1.0-M1 to 10.1.4, 9.0.0-M1 to 9.0.70, and 8.5.0 to 8.5.84 need to update the Apache Commons FileUpload library.
Actions recommandées
The CCB recommends administrators to upgrade to Apache Commons FileUpload 1.5 or later released by the vendor.
Références
https://commons.apache.org/proper/commons-fileupload/security-reports.html
https://seclists.org/oss-sec/2023/q1/108
https://securityonline.info/cve-2023-24998-apache-commons-fileupload-and-tomcat-dos-flaw/