[Bug 269652] www/tomcat{85,9,101}: Update to 8.5.85, 9.0.71, 10.1.5 (CVE-2023-24998 FileUpload DoS with excessive parts)

In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 269652] www/tomcat{85,9,101}: Update to 8.5.85, 9.0.71, 10.1.5"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 22 Feb 2023 12:25:19 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=269652

VVD <vvd@unislabs.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|www/tomcat{85,9,101}:       |www/tomcat{85,9,101}:
                   |Update to 8.5.85, 9.0.71,   |Update to 8.5.85, 9.0.71,
                   |10.1.5                      |10.1.5 (CVE-2023-24998
                   |                            |FileUpload DoS with
                   |                            |excessive parts)

--- Comment #5 from VVD <vvd@unislabs.com> ---
CVE-2023-24998 Apache Tomcat - FileUpload DoS with excessive parts

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1
Apache Tomcat 10.1.0-M1 to 10.1.4
Apache Tomcat 9.0.0-M1 to 9.0.70
Apache Tomcat 8.5.0 to 8.5.84

Description:
Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to
provide the file upload functionality defined in the Jakarta Servlet
specification. Apache Tomcat was, therefore, also vulnerable to the Apache
Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to the
number of request parts processed. This resulted in the possibility of an
attacker triggering a DoS with a malicious upload or series of uploads.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M3 or later when released
- Upgrade to Apache Tomcat 10.1.5 or later
- Upgrade to Apache Tomcat 9.0.71 or later
- Upgrade to Apache Tomcat 8.5.85 or later
- Note 11.0.0-M2 was not released

Credit:
This issue was identified by Jakob Ackermann

History:
2023-01-03 Original advisory
2023-01-03 Corrected credit

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-11.html

-- 
You are receiving this mail because:
You are the assignee for the bug.