NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.

To learn about what's going on, see About the Archive Site.

[thredds] Fwd: [SECURITY] CVE-2023-24998 Apache Tomcat - FileUpload DoS with excessive parts

  • To: THREDDS community <thredds@xxxxxxxxxxxxxxxx>
  • Subject: [thredds] Fwd: [SECURITY] CVE-2023-24998 Apache Tomcat - FileUpload DoS with excessive parts
  • From: Jennifer Oxelson Ganter <oxelson@xxxxxxxx>
  • Date: Wed, 22 Feb 2023 08:49:58 -0700
Hello all,

Please make sure you are running the latest version of Tomcat, particularly
if you use the Tomcat Manager application.

---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Mon, Feb 20, 2023 at 9:39 AM
Subject: [SECURITY] CVE-2023-24998 Apache Tomcat - FileUpload DoS with
excessive parts
To: users@xxxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxxx>
Cc: Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>,
announce@xxxxxxxxxxxxxxxxx <announce@xxxxxxxxxxxxxxxxx>, <
announce@xxxxxxxxxx>


CVE-2023-24998 Apache Tomcat - FileUpload DoS with excessive parts

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1
Apache Tomcat 10.1.0-M1 to 10.1.4
Apache Tomcat 9.0.0-M1 to 9.0.70
Apache Tomcat 8.5.0 to 8.5.84

Description:
Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload
to provide the file upload functionality defined in the Jakarta Servlet
specification. Apache Tomcat was, therefore, also vulnerable to the
Apache Commons FileUpload vulnerability CVE-2023-24998 as there was no
limit to the number of request parts processed. This resulted in the
possibility of an attacker triggering a DoS with a malicious upload or
series of uploads.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M3 or later when released
- Upgrade to Apache Tomcat 10.1.5 or later
- Upgrade to Apache Tomcat 9.0.71 or later
- Upgrade to Apache Tomcat 8.5.85 or later
- Note 11.0.0-M2 was not released

Credit:
This issue was identified by the Apache Tomcat security team.

History:
2023-01-03 Original advisory

References:
[1] https://tomcat.apache.org/security-10.html
[2] https://tomcat.apache.org/security-9.html
[3] https://tomcat.apache.org/security-8.html
  • 2023 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: