CVE-2023-24998: Apache Commons FileUpload and Tomcat DoS Flaw

CVE-2023-24998

Apache Commons and Tomcat developers are urging users to update a file upload library due to the existence of a vulnerability that can be exploited for denial-of-service (DoS) attacks.

The team behind the Apache Tomcat pointed out that the Commons FileUpload library, which provides the file upload functionality defined in the Jakarta Servlet specification, is affected by a denial-of-service vulnerability.

The flaw, tracked as CVE-2023-24998, was discovered by Jakob Ackermann on 11 December 2022. It was patched with the release of Commons FileUpload version 1.5 this month.

Apache Commons FileUpload and Tomcat are vulnerable to a denial of service, caused by not limiting the number of request parts to be processed in the file upload function. By sending a specially-crafted request with a series of uploads, a remote attacker could exploit this vulnerability to cause a denial of service condition.

“Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads,” Apache Commons FileUpload developers wrote.

“Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, therefore, also vulnerable to the Apache Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to the number of request parts processed. This resulted in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads,” Apache Tomcat developers explained.

Tomcat versions 11.0.0-M3, 10.1.5, 9.0.71, and 8.5.85 are already using version 1.5 of the library, but applications using Tomcat 11.0.0-M1,10.1.0-M1 to 10.1.4, 9.0.0-M1 to 9.0.70, and 8.5.0 to 8.5.84 need to update the Apache Commons FileUpload library.