CVE-2016-3092

Name of the Vulnerable Software and Affected Versions Apache Commons Fileupload versions prior to 1.3.2 Apache Tomcat versions prior to 7.0.70 Apache Tomcat versions prior to 8.0.36 Apache Tomcat versions prior to 8.5.3 Apache Tomcat versions prior to 9.0.0.M7

Description The issue allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string. This occurs due to insufficient input validation in the MultipartStream class. The denial of service vulnerability is identified when the length of the multipart boundary is just below the size of the buffer used to read the uploaded file, causing the file upload process to take significantly longer.

Recommendations For Apache Commons Fileupload versions prior to 1.3.2, update to version 1.3.2 or later. For Apache Tomcat versions prior to 7.0.70, update to version 7.0.70 or later. For Apache Tomcat versions prior to 8.0.36, update to version 8.0.36 or later. For Apache Tomcat versions prior to 8.5.3, update to version 8.5.3 or later. For Apache Tomcat versions prior to 9.0.0.M7, update to version 9.0.0.M7 or later.