379 lines
17 KiB
HTML
379 lines
17 KiB
HTML
<!DOCTYPE html>
|
|
<!--
|
|
| Generated by Apache Maven Doxia at 24 December 2018
|
|
| Rendered using Apache Maven Fluido Skin 1.3.0
|
|
-->
|
|
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
|
|
<head>
|
|
<meta charset="iso-8859-1" />
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
|
|
<meta name="author" content="Commons Documentation Team" />
|
|
<meta name="Date-Revision-yyyymmdd" content="20181224" />
|
|
<meta http-equiv="Content-Language" content="en" />
|
|
<title>FileUpload – Commons FileUpload Security Reports</title>
|
|
|
|
<link rel="stylesheet" href="./css/bootstrap.min.css" type="text/css" />
|
|
<link rel="stylesheet" href="./css/site.css" type="text/css" />
|
|
<link rel="stylesheet" href="./css/print.css" media="print" />
|
|
|
|
<script type="text/javascript" src="./js/jquery.min.js"></script>
|
|
<script type="text/javascript" src="./js/bootstrap.min.js"></script>
|
|
<script type="text/javascript" src="./js/prettify.min.js"></script>
|
|
<script type="text/javascript" src="./js/site.js"></script>
|
|
|
|
|
|
</head>
|
|
|
|
<body class="composite">
|
|
<a href="http://commons.apache.org/" id="bannerLeft" title="Apache Commons logo">
|
|
<img class="logo-left" src="./images/commons-logo.png" alt="Apache Commons logo"/>
|
|
</a>
|
|
<a href="index.html" id="bannerRight">
|
|
<img class="logo-right" src="images/logo.png" alt="Commons FileUpload"/>
|
|
</a>
|
|
<div class="clear"></div>
|
|
|
|
<div class="navbar">
|
|
<div class="navbar-inner">
|
|
<div class="container-fluid">
|
|
<a class="brand" href="http://commons.apache.org/proper/commons-fileupload/">Apache Commons FileUpload ™</a>
|
|
<ul class="nav">
|
|
|
|
<li id="publishDate">Last Published: 24 December 2018</li>
|
|
<li class="divider">|</li> <li id="projectVersion">Version: 1.4</li>
|
|
</ul>
|
|
<div class="pull-right"> <ul class="nav">
|
|
<li>
|
|
<a href="http://www.apachecon.com/" class="externalLink" title="ApacheCon">
|
|
ApacheCon</a>
|
|
</li>
|
|
<li>
|
|
<a href="http://www.apache.org" class="externalLink" title="Apache">
|
|
Apache</a>
|
|
</li>
|
|
<li>
|
|
<a href="../../" title="Commons">
|
|
Commons</a>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
</div>
|
|
|
|
<div class="container-fluid">
|
|
<table class="layout-table">
|
|
<tr>
|
|
<td class="sidebar">
|
|
<div class="well sidebar-nav">
|
|
<ul class="nav nav-list">
|
|
<li class="nav-header">Commons FileUpload</li>
|
|
<li class="none">
|
|
<a href="index.html" title="Overview">
|
|
Overview</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="using.html" title="User guide">
|
|
User guide</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="streaming.html" title="Streaming API">
|
|
Streaming API</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="faq.html" title="FAQ">
|
|
FAQ</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="javadocs/api-release/index.html" title="Javadoc (Latest release)">
|
|
Javadoc (Latest release)</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="download_fileupload.cgi" title="Download">
|
|
Download</a>
|
|
</li>
|
|
<li class="none active">
|
|
<a href="security-reports.html" title="Security Reports">
|
|
Security Reports</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="mail-lists.html" title="Mailing lists">
|
|
Mailing lists</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="issue-tracking.html" title="Issue Tracking">
|
|
Issue Tracking</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="team-list.html" title="Team">
|
|
Team</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="source-repository.html" title="Source repository">
|
|
Source repository</a>
|
|
</li>
|
|
</ul>
|
|
<ul class="nav nav-list">
|
|
<li class="nav-header"><i class="icon-info-sign"></i>Project Documentation</li>
|
|
<li class="collapsed">
|
|
<a href="project-info.html" title="Project Information">
|
|
Project Information</a>
|
|
</li>
|
|
<li class="collapsed">
|
|
<a href="project-reports.html" title="Project Reports">
|
|
Project Reports</a>
|
|
</li>
|
|
</ul>
|
|
<ul class="nav nav-list">
|
|
<li class="nav-header">Commons</li>
|
|
<li class="none">
|
|
<a href="../../" title="Home">
|
|
Home</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="http://www.apache.org/licenses/" class="externalLink" title="License">
|
|
License</a>
|
|
</li>
|
|
<li class="collapsed">
|
|
<a href="../../components.html" title="Components">
|
|
Components</a>
|
|
</li>
|
|
<li class="collapsed">
|
|
<a href="../../sandbox/index.html" title="Sandbox">
|
|
Sandbox</a>
|
|
</li>
|
|
<li class="collapsed">
|
|
<a href="../../dormant/index.html" title="Dormant">
|
|
Dormant</a>
|
|
</li>
|
|
</ul>
|
|
<ul class="nav nav-list">
|
|
<li class="nav-header">General Information</li>
|
|
<li class="none">
|
|
<a href="../../security.html" title="Security">
|
|
Security</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="../../volunteering.html" title="Volunteering">
|
|
Volunteering</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="../../patches.html" title="Contributing Patches">
|
|
Contributing Patches</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="../../building.html" title="Building Components">
|
|
Building Components</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="../../commons-parent-pom.html" title="Commons Parent Pom">
|
|
Commons Parent Pom</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="../../build-plugin/index.html" title="Commons Build Plugin">
|
|
Commons Build Plugin</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="../../releases/index.html" title="Releasing Components">
|
|
Releasing Components</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="http://wiki.apache.org/commons/FrontPage" class="externalLink" title="Wiki">
|
|
Wiki</a>
|
|
</li>
|
|
</ul>
|
|
<ul class="nav nav-list">
|
|
<li class="nav-header">ASF</li>
|
|
<li class="none">
|
|
<a href="http://www.apache.org/foundation/how-it-works.html" class="externalLink" title="How the ASF works">
|
|
How the ASF works</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="http://www.apache.org/foundation/getinvolved.html" class="externalLink" title="Get Involved">
|
|
Get Involved</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="http://www.apache.org/dev/" class="externalLink" title="Developer Resources">
|
|
Developer Resources</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="http://www.apache.org/foundation/policies/conduct.html" class="externalLink" title="Code of Conduct">
|
|
Code of Conduct</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="http://www.apache.org/foundation/sponsorship.html" class="externalLink" title="Sponsorship">
|
|
Sponsorship</a>
|
|
</li>
|
|
<li class="none">
|
|
<a href="http://www.apache.org/foundation/thanks.html" class="externalLink" title="Thanks">
|
|
Thanks</a>
|
|
</li>
|
|
</ul>
|
|
</div>
|
|
<div id="poweredBy">
|
|
<a href="http://www.apache.org/events/current-event.html" title="ApacheCon" class="builtBy">
|
|
<img class="builtBy" alt="ApacheCon" src="http://www.apache.org/events/current-event-125x125.png" />
|
|
</a>
|
|
<a href="http://maven.apache.org/" title="Maven" class="builtBy">
|
|
<img class="builtBy" alt="Maven" src="http://maven.apache.org/images/logos/maven-feather.png" />
|
|
</a>
|
|
</div>
|
|
</td>
|
|
<td class="content">
|
|
|
|
|
|
<div class="section">
|
|
<h2><a name="Apache_Commons_FileUpload_Security_Vulnerabilities"></a>Apache Commons FileUpload Security Vulnerabilities</h2>
|
|
|
|
<p>This page lists all security vulnerabilities fixed in
|
|
released versions of Apache Commons FileUpload. Each
|
|
vulnerability is given a security impact rating by the
|
|
development team - please note that this rating may vary from
|
|
platform to platform. We also list the versions of Commons
|
|
FileUpload the flaw is known to affect, and where a flaw has not
|
|
been verified list the version with a question mark.</p>
|
|
|
|
|
|
<p>Please note that binary patches are never provided. If you
|
|
need to apply a source code patch, use the building
|
|
instructions for the Commons FileUpload version that you are
|
|
using.</p>
|
|
|
|
|
|
<p>If you need help on building Commons FileUpload or other help
|
|
on following the instructions to mitigate the known
|
|
vulnerabilities listed here, please send your questions to the
|
|
public <a href="mail-lists.html">Commons Users mailing
|
|
list</a>.</p>
|
|
|
|
|
|
<p>If you have encountered an unlisted security vulnerability
|
|
or other unexpected behaviour that has security impact, or if
|
|
the descriptions here are incomplete, please report them
|
|
privately to the Apache Security Team. Thank you.</p>
|
|
|
|
|
|
<p>For information about reporting or asking questions about
|
|
security problems, please see the <a class="externalLink" href="http://commons.apache.org/security.html">security page
|
|
of the Apache Commons project</a>.</p>
|
|
|
|
|
|
<div class="section">
|
|
<h3><a name="Notes_on_Apache_Commons_FileUpload_1.3.3"></a>Notes on Apache Commons FileUpload 1.3.3</h3>
|
|
|
|
<p>
|
|
Regarding potential security problems with the class called DiskFileItem,
|
|
it is true, that this class exists, and can be serialized/deserialized in FileUpload versions, up to, and
|
|
including 1.3.2. It is also true, that a malicious attacker can abuse this possibility to create abitraryly
|
|
located files (assuming the required permissions) with arbitrary contents, if he gets the opportunity to
|
|
provide specially crafted data, which is being deserialized by a Java application, which has either of the
|
|
above versions of Commons FileUpload in the classpath, and which puts no limitations on the classes being
|
|
deserialized.
|
|
</p>
|
|
|
|
<p>
|
|
That being said, we (the Apache Commons team) hold the view, that the actual problem is not the DiskFileItem
|
|
class, but the "if" in the previous sentence. A Java application should carefully consider, which classes
|
|
can be deserialized. A typical approach would be, for example, to provide a blacklist, or whitelist of
|
|
packages, and/or classes, which may, or may not be deserialized.
|
|
</p>
|
|
|
|
<p>
|
|
On the other hand, we acknowledge, that the likelyhood of application container vendors taking such a
|
|
simple security measure is extremely low. So, in order to support the Commons Fileupload users, we have
|
|
decided to choose a different approach:
|
|
</p>
|
|
|
|
<p>
|
|
Beginning with 1.3.3, the class DiskFileItem is still implementing the interface java.io.Serializable.
|
|
In other words, it still declares itself as serializable, and deserializable to the JVM. In practice,
|
|
however, an attempt to deserialize an instance of DiskFileItem will trigger an Exception. In the unlikely
|
|
case, that your application depends on the deserialization of DiskFileItems, you can revert to the
|
|
previous behaviour by setting the system property "org.apache.commons.fileupload.disk.DiskFileItem.serializable"
|
|
to "true".
|
|
</p>
|
|
</div>
|
|
|
|
|
|
<div class="section">
|
|
<h3><a name="Fixed_in_Apache_Commons_FileUpload_1.3.2"></a>Fixed in Apache Commons FileUpload 1.3.2</h3>
|
|
|
|
<p><b>Low: Denial of Service</b> <a class="externalLink" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092">CVE-2016-3092</a></p>
|
|
|
|
|
|
<p>Specially crafted input can trigger a DoS (slow uploads), if the size of the MIME
|
|
boundary is close to the size of the buffer in MultipartStream. This is also fixed
|
|
for <a class="externalLink" href="https://tomcat.apache.org/security.html">Apache Tomcat</a>.</p>
|
|
|
|
|
|
<p>This was fixed in revisions
|
|
<a class="externalLink" href="http://svn.apache.org/viewvc?view=revision&revision=1743480">1743480</a>.</p>
|
|
|
|
|
|
<p>Affects: 1.0? - 1.3.1</p>
|
|
</div>
|
|
|
|
|
|
<div class="section">
|
|
<h3><a name="Fixed_in_Apache_Commons_FileUpload_1.3.1"></a>Fixed in Apache Commons FileUpload 1.3.1</h3>
|
|
|
|
<p><b>Low: Denial of Service</b> <a class="externalLink" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-0050">CVE-2014-0050</a></p>
|
|
|
|
|
|
<p>MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in
|
|
<a class="externalLink" href="https://tomcat.apache.org/security.html">Apache Tomcat</a>,
|
|
JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite
|
|
loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended
|
|
exit conditions.</p>
|
|
|
|
|
|
<p>This was fixed in revisions
|
|
<a class="externalLink" href="http://svn.apache.org/viewvc?view=revision&revision=1565143">1565143</a>.</p>
|
|
|
|
|
|
<p>Affects: 1.0? - 1.3</p>
|
|
</div>
|
|
|
|
|
|
<div class="section">
|
|
<h3><a name="Fixed_in_Apache_Commons_FileUpload_1.3"></a>Fixed in Apache Commons FileUpload 1.3</h3>
|
|
|
|
|
|
<p><b>Low: Improved Documentation for Multitenancy</b> <a class="externalLink" href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2013-0248">CVE-2013-0248</a></p>
|
|
|
|
|
|
<p>Update the Javadoc and documentation to make it clear that setting a repository
|
|
is required for a secure configuration if there are local, untrusted users.</p>
|
|
|
|
|
|
<p>This was fixed in revisions
|
|
<a class="externalLink" href="http://svn.apache.org/viewvc?view=revision&revision=1453273">1453273</a>.</p>
|
|
|
|
|
|
<p>Affects: 1.0 - 1.2.2</p>
|
|
</div>
|
|
|
|
</div>
|
|
|
|
|
|
<div class="section">
|
|
<h2><a name="Errors_and_Ommissions"></a>Errors and Ommissions</h2>
|
|
|
|
<p>Please report any errors or omissions to <a href="mail-lists.html">the dev mailing list</a>.</p>
|
|
</div>
|
|
|
|
|
|
</td>
|
|
</tr>
|
|
</table>
|
|
</div>
|
|
|
|
<div class="footer">
|
|
<p>Copyright © 2002-2018
|
|
<a href="https://www.apache.org/">The Apache Software Foundation</a>.
|
|
All Rights Reserved.</p>
|
|
</div>
|
|
</body>
|
|
|
|
</html>
|