586966 – (CVE-2016-3092) <www-servers/tomcat-{7.0.70, 8.0.36}: Usage of vulnerable FileUpload package can result in denial of service (CVE-2016-3092)

Bug 586966 (CVE-2016-3092) - <www-servers/tomcat-{7.0.70, 8.0.36}: Usage of vulnerable FileUpload package can result in denial of service (CVE-2016-3092)

Summary: <www-servers/tomcat-{7.0.70, 8.0.36}: Usage of vulnerable FileUpload package ...

Status:	RESOLVED FIXED

Alias:	CVE-2016-3092

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://bugzilla.redhat.com/show_bug....
Whiteboard:	B3 [glsa cve]
Keywords:

Depends on:	CVE-2016-0762, CVE-2016-5018, CVE-2016-6794, CVE-2016-6796, CVE-2016-6797, CVE-2016-6816, CVE-2016-6817, CVE-2016-8735
Blocks:	CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706, CVE-2016-0714, CVE-2016-0763
	Show dependency tree

Reported:	2016-06-24 15:38 UTC by Agostino Sarubbo
Modified:	2020-08-28 03:26 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2013-0248
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2016-06-24 15:38:50 UTC

From ${URL} :

Apache Tomcat uses a package renamed copy of Apache Commons FileUpload to implement the file upload requirements of the Servlet specification. A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart 
boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file. This caused the file upload process to take several orders of magnitude longer than if the boundary was the typical tens of bytes long.

External references:

http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-7.html

Upstream fixes:

Tomcat 8.5.x:

http://svn.apache.org/viewvc?view=revision&revision=1743722

Tomcat 8.0.x:

http://svn.apache.org/viewvc?view=revision&revision=1743738


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Miroslav Šulc gentoo-dev

2016-07-14 08:35:03 UTC

none of the 8.5.x versions in the tree is affected by this issue. and according to the log at http://tomcat.apache.org/tomcat-8.0-doc/changelog.html#Tomcat_8.0.36_(markt) it seems the first unaffected version is 8.0.36. anyway, there are some bugs reported against this version that block stabilization so these should be fixed first i guess.

Comment 2 GLSAMaker/CVETool Bot gentoo-dev

2016-07-14 08:43:29 UTC

CVE-2016-3092 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3092):
  The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used
  in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3,
  and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause
  a denial of service (CPU consumption) via a long boundary string.

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2016-07-14 08:53:44 UTC

8.5.x is currently unstable.

@maintainer(s), please let us know if you are ready to stabilize the unaffected versions.  If so, please call for stabilization in this bug or let us know.  Thank you.

GLSA Vote: Yes.  Given the blocked bug this will require a GLSA.

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-19 01:47:18 UTC

We will do stabilization in bug 598324.

Comment 5 Yury German Gentoo Infrastructure

2017-04-30 19:30:01 UTC

Arches and Maintainer(s), Thank you for your work.

Comment 6 GLSAMaker/CVETool Bot gentoo-dev

2017-05-18 02:02:25 UTC

This issue was resolved and addressed in
 GLSA 201705-09 at https://security.gentoo.org/glsa/201705-09
by GLSA coordinator Yury German (BlueKnight).