Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Update Apache Commons FileUpload

Description

The Apache Commons FileUpload library recently got an update to fix a critical performance bug. They haven't published the CVE last I checked, but they announced it on the Tomcat announce mailing list.

Related CVE-2016-3092

Environment

None

blocks

Activity

Show:

Michael Offner 18 July 2016 at 18:49

Joseph Gooch 30 June 2016 at 17:46

I'm interested in the PoC if you get a chance.

I'm also interested if this is a tomcat problem or a Lucee problem. Are you experiencing this in the http handling or in other areas...i.e. cffile action="upload"

Also, what version of Lucee are you running, is it express or otherwise, what version of tomcat?

Kyle Thompson 27 June 2016 at 13:42

If you need a proof of concept script / binary, I can provide one. I'm able to take up 100% CPU on my local machine with only 4 requests. The workaround of limiting the header size does work, but it is not always a solution you can rely on.

Fixed

Details

Assignee

Reporter

Priority

Fix versions

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Created 22 June 2016 at 17:05
Updated 24 July 2016 at 07:49
Resolved 18 July 2016 at 18:50

Flag notifications