7.8
HIGH

CVE-2016-3092

Published: 04/07/2016 Updated: 19/07/2018
CVSS v2 Base Score: 7.8 | Impact Score: 6.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

Vulnerability Summary

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

A vulnerability in the MultipartStream class in the Apache Commons FileUpload library could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.

The vulnerability is due to insufficient boundary checking by the affected software. An attacker could exploit this vulnerability by sending a crafted file upload request to a targeted system. A successful exploit could consume excessive CPU resources, causing the targeted system to become unresponsive and resulting in a DoS condition.

Apache has confirmed the vulnerability and released software updates.

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C
Access Complexity: LOW
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: COMPLETE

Affected Products

Vendor Product Versions
ApacheCommons Fileupload1.3.1
ApacheTomcat7.0.0, 7.0.1, 7.0.2, 7.0.4, 7.0.5, 7.0.6, 7.0.8, 7.0.10, 7.0.11, 7.0.12, 7.0.14, 7.0.16, 7.0.19, 7.0.20, 7.0.21, 7.0.22, 7.0.23, 7.0.25, 7.0.26, 7.0.27, 7.0.28, 7.0.29, 7.0.30, 7.0.32, 7.0.33, 7.0.34, 7.0.35, 7.0.37, 7.0.39, 7.0.40, 7.0.41, 7.0.42, 7.0.47, 7.0.50, 7.0.52, 7.0.53, 7.0.54, 7.0.55, 7.0.56, 7.0.57, 7.0.59, 7.0.61, 7.0.62, 7.0.63, 7.0.64, 7.0.65, 7.0.67, 7.0.68, 7.0.69, 8.0.0, 8.0.1, 8.0.3, 8.0.5, 8.0.8, 8.0.11, 8.0.12, 8.0.14, 8.0.15, 8.0.17, 8.0.18, 8.0.20, 8.0.21, 8.0.22, 8.0.23, 8.0.24, 8.0.26, 8.0.27, 8.0.28, 8.0.29, 8.0.30, 8.0.32, 8.0.33, 8.0.35, 8.5.0, 8.5.2, 9.0.0
HpIcewall Identity Manager5.0
HpIcewall Sso Agent Option10.0
CanonicalUbuntu Linux12.04, 14.04, 15.10, 16.04
DebianDebian Linux8.0

Mitigation

Administrators are advised to apply the appropriate updates.

Administrators are advised to allow only trusted users to have network access.

Administrators can help protect affected systems from external attacks by using a solid firewall strategy.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

Administrators are advised to monitor affected systems.

Exploitation

To exploit this vulnerability, the attacker must send a crafted HTTP request to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.

Github Repositories

References

CWE-20http://jvn.jp/en/jp/JVN89379547/index.htmlhttp://jvndb.jvn.jp/jvndb/JVNDB-2016-000121http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.htmlhttp://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3Ehttp://rhn.redhat.com/errata/RHSA-2016-2068.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2069.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2070.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2071.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2072.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2599.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2807.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2808.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0457.htmlhttp://svn.apache.org/viewvc?view=revision&revision=1743480http://svn.apache.org/viewvc?view=revision&revision=1743722http://svn.apache.org/viewvc?view=revision&revision=1743738http://svn.apache.org/viewvc?view=revision&revision=1743742http://tomcat.apache.org/security-7.htmlhttp://tomcat.apache.org/security-8.htmlhttp://tomcat.apache.org/security-9.htmlhttp://www.debian.org/security/2016/dsa-3609http://www.debian.org/security/2016/dsa-3611http://www.debian.org/security/2016/dsa-3614http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.htmlhttp://www.securityfocus.com/bid/91453http://www.securitytracker.com/id/1036427http://www.securitytracker.com/id/1036900http://www.securitytracker.com/id/1037029http://www.securitytracker.com/id/1039606http://www.ubuntu.com/usn/USN-3024-1http://www.ubuntu.com/usn/USN-3027-1https://access.redhat.com/errata/RHSA-2017:0455https://access.redhat.com/errata/RHSA-2017:0456https://bugzilla.redhat.com/show_bug.cgi?id=1349468https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759https://security.gentoo.org/glsa/201705-09