This article is more than 1 year old
Apache, Debian crews patch library with DoS vuln
Upgrade your libcommons-fileupload-java package
A file upload library used in Apache Tomcat and various Linux distributions needs patching to plug a denial-of-service vulnerability.
Discovered by the TERASOLUNA Framework Development Team, the bug in libcommons-fileupload-java, which sits under Apache Commons FileUpload, has the Common Vulnerabilities and Exposures designation CVE-2016-3092.
Apache explains the bug here: “It occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file. This caused the file upload process to take several orders of magnitude longer than if the boundary length was the typical tens of bytes.”
In the Apache world, affected versions are Tomcat 9.0.0.M1 to 9.0.0M6; Apache Tomcat 8.5.0 to 8.5.2; Apache Tomcat 8.0.0.RC1 to 8.0.35; and Apache Tomcat 7.0.0 to 7.0.69. Earlier versions aren't affected.
The Apache advisory also notes that the bug affects only applications using the File Upload feature introduced in Servlet 3.0.
The Debian team has also posted its patch advice, here. The fix is in version 1.3.1-1+deb8u1 for the stable version, version 1.3.2-1 of the testing version, and version 1.3.2-1 of the unstable version.
Other distos affected by the bug will presumably post their fixes shortly. ®