Security update for jakarta-commons-fileupload SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:0758-1 Final 1 1 2023-03-16T10:34:45Z current 2023-03-16T10:34:45Z 2023-03-16T10:34:45Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for jakarta-commons-fileupload This update for jakarta-commons-fileupload fixes the following issues: - CVE-2016-3092: Fixed a usage of vulnerable FileUpload package can result in denial of service (bsc#986359). - CVE-2023-24998: Fixed a FileUpload deny of service with excessive parts (bsc#1208513). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2023-758,SUSE-OpenStack-Cloud-9-2023-758,SUSE-OpenStack-Cloud-Crowbar-9-2023-758,SUSE-SLE-SAP-12-SP4-2023-758,SUSE-SLE-SERVER-12-SP2-BCL-2023-758,SUSE-SLE-SERVER-12-SP4-ESPOS-2023-758,SUSE-SLE-SERVER-12-SP4-LTSS-2023-758,SUSE-SLE-SERVER-12-SP5-2023-758 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20230758-1/ Link for SUSE-SU-2023:0758-1 https://lists.suse.com/pipermail/sle-security-updates/2023-March/014070.html E-Mail link for SUSE-SU-2023:0758-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1208513 SUSE Bug 1208513 https://bugzilla.suse.com/986359 SUSE Bug 986359 https://www.suse.com/security/cve/CVE-2016-3092/ SUSE CVE CVE-2016-3092 page https://www.suse.com/security/cve/CVE-2023-24998/ SUSE CVE CVE-2023-24998 page SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP4-ESPOS SUSE Linux Enterprise Server 12 SP4-LTSS SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9 jakarta-commons-fileupload-1.1.1-122.8.1 jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 jakarta-commons-fileupload-1.1.1-122.8.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 as a component of SUSE Linux Enterprise Server 12 SP2-BCL jakarta-commons-fileupload-1.1.1-122.8.1 as a component of SUSE Linux Enterprise Server 12 SP4-ESPOS jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 as a component of SUSE Linux Enterprise Server 12 SP4-ESPOS jakarta-commons-fileupload-1.1.1-122.8.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS jakarta-commons-fileupload-1.1.1-122.8.1 as a component of SUSE Linux Enterprise Server 12 SP5 jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 as a component of SUSE Linux Enterprise Server 12 SP5 jakarta-commons-fileupload-1.1.1-122.8.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 jakarta-commons-fileupload-1.1.1-122.8.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 jakarta-commons-fileupload-1.1.1-122.8.1 as a component of SUSE OpenStack Cloud 9 jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 as a component of SUSE OpenStack Cloud 9 jakarta-commons-fileupload-1.1.1-122.8.1 as a component of SUSE OpenStack Cloud Crowbar 9 jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 as a component of SUSE OpenStack Cloud Crowbar 9 The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string. CVE-2016-3092 SUSE Linux Enterprise Server 12 SP2-BCL:jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise Server 12 SP2-BCL:jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 SUSE Linux Enterprise Server 12 SP4-ESPOS:jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise Server 12 SP4-ESPOS:jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 SUSE Linux Enterprise Server 12 SP4-LTSS:jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise Server 12 SP4-LTSS:jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 SUSE Linux Enterprise Server 12 SP5:jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise Server 12 SP5:jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 SUSE OpenStack Cloud 9:jakarta-commons-fileupload-1.1.1-122.8.1 SUSE OpenStack Cloud 9:jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 SUSE OpenStack Cloud Crowbar 9:jakarta-commons-fileupload-1.1.1-122.8.1 SUSE OpenStack Cloud Crowbar 9:jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230758-1/ https://www.suse.com/security/cve/CVE-2016-3092.html CVE-2016-3092 https://bugzilla.suse.com/1068865 SUSE Bug 1068865 https://bugzilla.suse.com/986359 SUSE Bug 986359 https://bugzilla.suse.com/988489 SUSE Bug 988489 Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. CVE-2023-24998 SUSE Linux Enterprise Server 12 SP2-BCL:jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise Server 12 SP2-BCL:jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 SUSE Linux Enterprise Server 12 SP4-ESPOS:jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise Server 12 SP4-ESPOS:jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 SUSE Linux Enterprise Server 12 SP4-LTSS:jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise Server 12 SP4-LTSS:jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 SUSE Linux Enterprise Server 12 SP5:jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise Server 12 SP5:jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 SUSE OpenStack Cloud 9:jakarta-commons-fileupload-1.1.1-122.8.1 SUSE OpenStack Cloud 9:jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 SUSE OpenStack Cloud Crowbar 9:jakarta-commons-fileupload-1.1.1-122.8.1 SUSE OpenStack Cloud Crowbar 9:jakarta-commons-fileupload-javadoc-1.1.1-122.8.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20230758-1/ https://www.suse.com/security/cve/CVE-2023-24998.html CVE-2023-24998 https://bugzilla.suse.com/1208513 SUSE Bug 1208513 https://bugzilla.suse.com/1210310 SUSE Bug 1210310 https://bugzilla.suse.com/1211608 SUSE Bug 1211608 https://bugzilla.suse.com/1228313 SUSE Bug 1228313