CVE-2016-3092
Published: 23 June 2016
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
From the Ubuntu Security Team
It was discovered that the Tomcat Fileupload library incorrectly handled certain upload requests. A remote attacker could possibly use this issue to cause a denial of service.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
libcommons-fileupload-java Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(1.3.2-1)
|
| bionic |
Not vulnerable
(1.3.2-1)
|
|
| cosmic |
Not vulnerable
(1.3.2-1)
|
|
| disco |
Not vulnerable
(1.3.2-1)
|
|
| eoan |
Not vulnerable
(1.3.2-1)
|
|
| focal |
Not vulnerable
(1.3.2-1)
|
|
| groovy |
Not vulnerable
(1.3.2-1)
|
|
| hirsute |
Not vulnerable
(1.3.2-1)
|
|
| impish |
Not vulnerable
(1.3.2-1)
|
|
| jammy |
Not vulnerable
(1.3.2-1)
|
|
| kinetic |
Not vulnerable
(1.3.2-1)
|
|
| lunar |
Not vulnerable
(1.3.2-1)
|
|
| mantic |
Not vulnerable
(1.3.2-1)
|
|
| precise |
Ignored
(end of life)
|
|
| trusty |
Does not exist
(trusty was needed)
|
|
| upstream |
Released
(1.3.2-1)
|
|
| wily |
Released
(1.3.1-1+deb8u1ubuntu0.15.10.1)
|
|
| xenial |
Released
(1.3.1-2ubuntu0.1)
|
|
| yakkety |
Not vulnerable
(1.3.2-1)
|
|
| zesty |
Not vulnerable
(1.3.2-1)
|
|
|
Patches: other: https://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/MultipartStream.java?r1=1743480&r2=1743479&pathrev=1743480 |
||
|
tomcat6 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| precise |
Released
(6.0.35-1ubuntu3.7)
|
|
| trusty |
Released
(6.0.39-1ubuntu0.1+esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Needed
|
|
| wily |
Ignored
(end of life)
|
|
| xenial |
Needed
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
Patches: other: https://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/MultipartStream.java?r1=1743480&r2=1743479&pathrev=1743480 |
||
|
tomcat7 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(7.0.70-1)
|
| bionic |
Not vulnerable
(7.0.70-1)
|
|
| cosmic |
Not vulnerable
(7.0.70-1)
|
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| precise |
Ignored
(end of life)
|
|
| trusty |
Released
(7.0.52-1ubuntu0.6)
|
|
| upstream |
Released
(7.0.70-1)
|
|
| wily |
Released
(7.0.64-1ubuntu0.3)
|
|
| xenial |
Released
(7.0.68-1ubuntu0.1)
|
|
| yakkety |
Not vulnerable
(7.0.70-1)
|
|
| zesty |
Not vulnerable
(7.0.70-1)
|
|
|
Patches: other: https://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/MultipartStream.java?r1=1743480&r2=1743479&pathrev=1743480 |
||
|
tomcat8 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(8.0.36-1)
|
| bionic |
Not vulnerable
(8.0.36-1)
|
|
| cosmic |
Not vulnerable
(8.0.36-1)
|
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| mantic |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(8.0.36-1)
|
|
| wily |
Ignored
(end of life)
|
|
| xenial |
Released
(8.0.32-1ubuntu1.1)
|
|
| yakkety |
Not vulnerable
(8.0.36-1)
|
|
| zesty |
Not vulnerable
(8.0.36-1)
|
|
|
Patches: other: https://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/MultipartStream.java?r1=1743480&r2=1743479&pathrev=1743480 |
||
|
tomcat9 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Not vulnerable
(9.0.16-3~18.04.1)
|
|
| cosmic |
Not vulnerable
(9.0.16-3~18.10)
|
|
| disco |
Not vulnerable
(9.0.16-3)
|
|
| eoan |
Not vulnerable
(9.0.16-3)
|
|
| focal |
Not vulnerable
(9.0.16-3)
|
|
| groovy |
Not vulnerable
(9.0.16-3)
|
|
| hirsute |
Not vulnerable
(9.0.16-3)
|
|
| impish |
Not vulnerable
(9.0.16-3)
|
|
| jammy |
Not vulnerable
(9.0.16-3)
|
|
| kinetic |
Not vulnerable
(9.0.16-3)
|
|
| lunar |
Not vulnerable
(9.0.16-3)
|
|
| mantic |
Not vulnerable
(9.0.16-3)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(9.0.0M8)
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
Patches: other: https://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/MultipartStream.java?r1=1743480&r2=1743479&pathrev=1743480 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |