CVE-2016-3092 in Ubuntu

CVE-2016-3092

Priority

Description

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as
used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before
8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers
to cause a denial of service (CPU consumption) via a long boundary string.

Ubuntu-Description

It was discovered that the Tomcat Fileupload library incorrectly handled
certain upload requests. A remote attacker could possibly use this issue to
cause a denial of service.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
http://markmail.org/message/oyxfv73jb2g7rjg3
https://ubuntu.com/security/notices/USN-3024-1
https://ubuntu.com/security/notices/USN-3027-1

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802312

Notes

Package

Source: libcommons-fileupload-java (LP Ubuntu Debian)

Upstream:	released (1.3.2-1)
Ubuntu 18.04 LTS:	not-affected (1.3.2-1)
Ubuntu 20.04 LTS:	not-affected (1.3.2-1)
Ubuntu 21.10:	not-affected (1.3.2-1)
Ubuntu 22.04 LTS:	not-affected (1.3.2-1)
Ubuntu 14.04 ESM:	DNE (trusty was needed)
Ubuntu 20.04 FIPS Compliant:	not-affected (1.3.2-1)

Patches:

Other:

https://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/MultipartStream.java?r1=1743480&r2=1743479&pathrev=1743480

Package

Source: tomcat6 (LP Ubuntu Debian)

Upstream:	needed
Ubuntu 18.04 LTS:	DNE
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 14.04 ESM:	needed
Ubuntu 20.04 FIPS Compliant:	DNE

Patches:

Other:

https://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/MultipartStream.java?r1=1743480&r2=1743479&pathrev=1743480

Package

Source: tomcat7 (LP Ubuntu Debian)

Upstream:	released (7.0.70-1)
Ubuntu 18.04 LTS:	not-affected (7.0.70-1)
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 22.04 LTS:	DNE
Ubuntu 14.04 ESM:	released (7.0.52-1ubuntu0.6)
Ubuntu 20.04 FIPS Compliant:	DNE

Patches:

Other:

https://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/MultipartStream.java?r1=1743480&r2=1743479&pathrev=1743480

Package

Source: tomcat8 (LP Ubuntu Debian)

Upstream:	released (8.0.36-1)
Ubuntu 18.04 LTS:	not-affected (8.0.36-1)
Ubuntu 20.04 LTS:	DNE
Ubuntu 21.10:	DNE
Ubuntu 16.04 ESM:	released (8.0.32-1ubuntu1.1)
Ubuntu 22.04 LTS:	DNE
Ubuntu 14.04 ESM:	DNE
Ubuntu 20.04 FIPS Compliant:	DNE

Patches:

Other:

https://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/MultipartStream.java?r1=1743480&r2=1743479&pathrev=1743480

Package

Source: tomcat9 (LP Ubuntu Debian)

Upstream:	released (9.0.0M8)
Ubuntu 18.04 LTS:	not-affected (9.0.16-3~18.04.1)
Ubuntu 20.04 LTS:	not-affected (9.0.16-3)
Ubuntu 21.10:	not-affected (9.0.16-3)
Ubuntu 22.04 LTS:	not-affected (9.0.16-3)
Ubuntu 14.04 ESM:	DNE
Ubuntu 20.04 FIPS Compliant:	not-affected (9.0.16-3)

Patches:

Other:

https://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/MultipartStream.java?r1=1743480&r2=1743479&pathrev=1743480

More Information

Updated: 2022-04-25 00:17:08 UTC (commit ecc1009cb19540b950de59270950018900f37f15)