CVE-2016-3092: Input Validation
First published: Thu Jun 23 2016(Updated: )
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/commons-fileupload:commons-fileupload | <1.3.2 | 1.3.2 |
| redhat/tomcat | <7.0.70 | 7.0.70 |
| redhat/tomcat | <8.5.3 | 8.5.3 |
| redhat/tomcat | <8.0.36 | 8.0.36 |
| HPE IceWall | =5.0 | |
| HP IceWall SSO | =10.0 | |
| Tomcat | =9.0.0-milestone1 | |
| Tomcat | =9.0.0-milestone3 | |
| Tomcat | =9.0.0-milestone4 | |
| Tomcat | =9.0.0-milestone6 | |
| Tomcat | =8.0.0-rc1 | |
| Tomcat | =8.0.0-rc10 | |
| Tomcat | =8.0.0-rc2 | |
| Tomcat | =8.0.0-rc5 | |
| Tomcat | =8.0.1 | |
| Tomcat | =8.0.3 | |
| Tomcat | =8.0.5 | |
| Tomcat | =8.0.8 | |
| Tomcat | =8.0.11 | |
| Tomcat | =8.0.12 | |
| Tomcat | =8.0.14 | |
| Tomcat | =8.0.15 | |
| Tomcat | =8.0.17 | |
| Tomcat | =8.0.18 | |
| Tomcat | =8.0.20 | |
| Tomcat | =8.0.21 | |
| Tomcat | =8.0.22 | |
| Tomcat | =8.0.23 | |
| Tomcat | =8.0.24 | |
| Tomcat | =8.0.26 | |
| Tomcat | =8.0.27 | |
| Tomcat | =8.0.28 | |
| Tomcat | =8.0.29 | |
| Tomcat | =8.0.30 | |
| Tomcat | =8.0.32 | |
| Tomcat | =8.0.33 | |
| Tomcat | =8.0.35 | |
| Debian | =8.0 | |
| Tomcat | =8.5.0 | |
| Tomcat | =8.5.2 | |
| Apache Commons FileUpload | <=1.3.1 | |
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =15.10 | |
| Ubuntu | =16.04 | |
| Tomcat | =7.0.0 | |
| Tomcat | =7.0.0-beta | |
| Tomcat | =7.0.1 | |
| Tomcat | =7.0.2 | |
| Tomcat | =7.0.2-beta | |
| Tomcat | =7.0.4 | |
| Tomcat | =7.0.4-beta | |
| Tomcat | =7.0.5 | |
| Tomcat | =7.0.5-beta | |
| Tomcat | =7.0.6 | |
| Tomcat | =7.0.8 | |
| Tomcat | =7.0.10 | |
| Tomcat | =7.0.11 | |
| Tomcat | =7.0.12 | |
| Tomcat | =7.0.14 | |
| Tomcat | =7.0.16 | |
| Tomcat | =7.0.19 | |
| Tomcat | =7.0.20 | |
| Tomcat | =7.0.21 | |
| Tomcat | =7.0.22 | |
| Tomcat | =7.0.23 | |
| Tomcat | =7.0.25 | |
| Tomcat | =7.0.26 | |
| Tomcat | =7.0.27 | |
| Tomcat | =7.0.28 | |
| Tomcat | =7.0.29 | |
| Tomcat | =7.0.30 | |
| Tomcat | =7.0.32 | |
| Tomcat | =7.0.33 | |
| Tomcat | =7.0.34 | |
| Tomcat | =7.0.35 | |
| Tomcat | =7.0.37 | |
| Tomcat | =7.0.39 | |
| Tomcat | =7.0.40 | |
| Tomcat | =7.0.41 | |
| Tomcat | =7.0.42 | |
| Tomcat | =7.0.47 | |
| Tomcat | =7.0.50 | |
| Tomcat | =7.0.52 | |
| Tomcat | =7.0.53 | |
| Tomcat | =7.0.54 | |
| Tomcat | =7.0.55 | |
| Tomcat | =7.0.56 | |
| Tomcat | =7.0.57 | |
| Tomcat | =7.0.59 | |
| Tomcat | =7.0.61 | |
| Tomcat | =7.0.62 | |
| Tomcat | =7.0.63 | |
| Tomcat | =7.0.64 | |
| Tomcat | =7.0.65 | |
| Tomcat | =7.0.67 | |
| Tomcat | =7.0.68 | |
| Tomcat | =7.0.69 | |
| Tomcat | =9.0.0-m1 | |
| Tomcat | =9.0.0-m3 | |
| Tomcat | =9.0.0-m4 | |
| Tomcat | =9.0.0-m6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2016-3092
- https://access.redhat.com/errata/RHSA-2017:0455
- https://access.redhat.com/errata/RHSA-2017:0456
- https://bugzilla.redhat.com/show_bug.cgi?id=1349468
- https://github.com/advisories/GHSA-fvm3-cfvj-gxqq (Advisory)
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
- https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
- https://security.gentoo.org/glsa/201705-09
- https://security.netapp.com/advisory/ntap-20190212-0001/
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- http://jvn.jp/en/jp/JVN89379547/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121
- http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html
- http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E
- http://rhn.redhat.com/errata/RHSA-2016-2068.html
- http://rhn.redhat.com/errata/RHSA-2016-2069.html
- http://rhn.redhat.com/errata/RHSA-2016-2070.html
- http://rhn.redhat.com/errata/RHSA-2016-2071.html
- http://rhn.redhat.com/errata/RHSA-2016-2072.html
- http://rhn.redhat.com/errata/RHSA-2016-2599.html
- http://rhn.redhat.com/errata/RHSA-2016-2807.html
- http://rhn.redhat.com/errata/RHSA-2016-2808.html
- http://rhn.redhat.com/errata/RHSA-2017-0457.html
- http://svn.apache.org/viewvc?view=revision&revision=1743480
- http://svn.apache.org/viewvc?view=revision&revision=1743722
- http://svn.apache.org/viewvc?view=revision&revision=1743738
- http://svn.apache.org/viewvc?view=revision&revision=1743742
- http://tomcat.apache.org/security-7.html
- http://tomcat.apache.org/security-8.html
- http://tomcat.apache.org/security-9.html
- http://www.debian.org/security/2016/dsa-3609
- http://www.debian.org/security/2016/dsa-3611
- http://www.debian.org/security/2016/dsa-3614
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
- http://www.ubuntu.com/usn/USN-3024-1
- http://www.ubuntu.com/usn/USN-3027-1
- https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- https://security.gentoo.org/glsa/202107-39
- https://web.archive.org/web/20160726114129/http://www.securitytracker.com/id/1036427
- https://web.archive.org/web/20160924080828/http://www.securityfocus.com/bid/91453
- https://web.archive.org/web/20170317103106/http://www.securitytracker.com/id/1037029
- https://web.archive.org/web/20171103224941/http://www.securitytracker.com/id/1036900
- https://web.archive.org/web/20171111060434/http://www.securitytracker.com/id/1039606
- http://www.securityfocus.com/bid/91453
- http://www.securitytracker.com/id/1036427
- http://www.securitytracker.com/id/1036900
- http://www.securitytracker.com/id/1037029
- http://www.securitytracker.com/id/1039606
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1349469
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1349470
- https://access.redhat.com/articles/112673
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1349468#c8
- https://rhn.redhat.com/errata/RHSA-2016-2071.html
- https://rhn.redhat.com/errata/RHSA-2016-2070.html
- https://rhn.redhat.com/errata/RHSA-2016-2069.html
- https://rhn.redhat.com/errata/RHSA-2016-2068.html
- https://rhn.redhat.com/errata/RHSA-2016-2072.html
- https://rhn.redhat.com/errata/RHSA-2016-2599.html
- https://rhn.redhat.com/errata/RHSA-2016-2808.html
- https://rhn.redhat.com/errata/RHSA-2016-2807.html
- https://rhn.redhat.com/errata/RHSA-2017-0457.html
Frequently Asked Questions
What is the severity of CVE-2016-3092?
CVE-2016-3092 is classified as a high severity vulnerability due to its potential to cause denial of service.
How do I fix CVE-2016-3092?
To remediate CVE-2016-3092, upgrade Apache Commons Fileupload to version 1.3.2 or later, and ensure Apache Tomcat is updated to at least version 7.0.70, 8.0.36, 8.5.3, or 9.0.0-M7.
What type of attack is possible with CVE-2016-3092?
CVE-2016-3092 allows remote attackers to perform denial of service attacks by sending long boundary strings that consume excessive CPU resources.
Which software versions are affected by CVE-2016-3092?
Affected versions include Apache Commons Fileupload prior to 1.3.2 and various Apache Tomcat versions below specified thresholds.
Is CVE-2016-3092 still a risk if updated software is running?
No, if the software has been updated to the fixed versions, the risk associated with CVE-2016-3092 is mitigated.
- collector/github-advisory-latest
- alias/GHSA-fvm3-cfvj-gxqq
- alias/CVE-2016-3092
- collector/github-advisory
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/references
- agent/author
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-cve
- collector/nvd-index
- agent/softwarecombine
- package-manager/maven
- package-manager/redhat
- vendor/hp
- canonical/hpe icewall
- version/hpe icewall/5.0
- canonical/hp icewall sso
- version/hp icewall sso/10.0
- vendor/apache
- canonical/tomcat
- version/tomcat/9.0.0-milestone1
- version/tomcat/9.0.0-milestone3
- version/tomcat/9.0.0-milestone4
- version/tomcat/9.0.0-milestone6
- version/tomcat/8.0.0-rc1
- version/tomcat/8.0.0-rc10
- version/tomcat/8.0.0-rc2
- version/tomcat/8.0.0-rc5
- version/tomcat/8.0.1
- version/tomcat/8.0.3
- version/tomcat/8.0.5
- version/tomcat/8.0.8
- version/tomcat/8.0.11
- version/tomcat/8.0.12
- version/tomcat/8.0.14
- version/tomcat/8.0.15
- version/tomcat/8.0.17
- version/tomcat/8.0.18
- version/tomcat/8.0.20
- version/tomcat/8.0.21
- version/tomcat/8.0.22
- version/tomcat/8.0.23
- version/tomcat/8.0.24
- version/tomcat/8.0.26
- version/tomcat/8.0.27
- version/tomcat/8.0.28
- version/tomcat/8.0.29
- version/tomcat/8.0.30
- version/tomcat/8.0.32
- version/tomcat/8.0.33
- version/tomcat/8.0.35
- vendor/debian
- canonical/debian
- version/debian/8.0
- version/tomcat/8.5.0
- version/tomcat/8.5.2
- canonical/apache commons fileupload
- version/apache commons fileupload/1.3.1
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/15.10
- version/ubuntu/16.04
- version/tomcat/7.0.0
- version/tomcat/7.0.0-beta
- version/tomcat/7.0.1
- version/tomcat/7.0.2
- version/tomcat/7.0.2-beta
- version/tomcat/7.0.4
- version/tomcat/7.0.4-beta
- version/tomcat/7.0.5
- version/tomcat/7.0.5-beta
- version/tomcat/7.0.6
- version/tomcat/7.0.8
- version/tomcat/7.0.10
- version/tomcat/7.0.11
- version/tomcat/7.0.12
- version/tomcat/7.0.14
- version/tomcat/7.0.16
- version/tomcat/7.0.19
- version/tomcat/7.0.20
- version/tomcat/7.0.21
- version/tomcat/7.0.22
- version/tomcat/7.0.23
- version/tomcat/7.0.25
- version/tomcat/7.0.26
- version/tomcat/7.0.27
- version/tomcat/7.0.28
- version/tomcat/7.0.29
- version/tomcat/7.0.30
- version/tomcat/7.0.32
- version/tomcat/7.0.33
- version/tomcat/7.0.34
- version/tomcat/7.0.35
- version/tomcat/7.0.37
- version/tomcat/7.0.39
- version/tomcat/7.0.40
- version/tomcat/7.0.41
- version/tomcat/7.0.42
- version/tomcat/7.0.47
- version/tomcat/7.0.50
- version/tomcat/7.0.52
- version/tomcat/7.0.53
- version/tomcat/7.0.54
- version/tomcat/7.0.55
- version/tomcat/7.0.56
- version/tomcat/7.0.57
- version/tomcat/7.0.59
- version/tomcat/7.0.61
- version/tomcat/7.0.62
- version/tomcat/7.0.63
- version/tomcat/7.0.64
- version/tomcat/7.0.65
- version/tomcat/7.0.67
- version/tomcat/7.0.68
- version/tomcat/7.0.69
- version/tomcat/9.0.0-m1
- version/tomcat/9.0.0-m3
- version/tomcat/9.0.0-m4
- version/tomcat/9.0.0-m6