CVE-2016-3092

Impact:
Moderate
Public Date:
2016-06-21
IAVA:
2016-B-0181
CWE:
CWE-20
Bugzilla:
1349468: CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service
A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.

Find out more about CVE-2016-3092 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 4.3
Base Metrics AV:N/AC:M/Au:N/C:N/I:N/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact None
Integrity Impact None
Availability Impact Partial

CVSS v3 metrics

CVSS3 Base Score 7.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Server (tomcat7) RHSA-2016:2807 2016-11-17
Red Hat Enterprise Linux 7 (tomcat) RHSA-2016:2599 2016-11-03
Red Hat JBoss Web Server 3.1 for RHEL 6 RHSA-2017:0455 2017-03-07
Red Hat JBoss Web Server 3.1 RHSA-2017:0457 2017-03-07
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2016:2071 2016-10-17
Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server (tomcat7) RHSA-2016:2807 2016-11-17
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jbossweb) RHSA-2016:2068 2016-10-17
Red Hat JBoss Web Server 3.1 for RHEL 7 RHSA-2017:0456 2017-03-07
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (jbossweb) RHSA-2016:2070 2016-10-17
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (jbossweb) RHSA-2016:2069 2016-10-17
Red Hat JBoss Web Server 2.1 RHSA-2016:2808 2016-11-17
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) RHSA-2016:2072 2016-10-17

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux rh-java-common-tomcat Not affected
Red Hat JBoss Web Server 3.0 tomcat7 Will not fix
Red Hat JBoss Web Server 3.0 tomcat8 Will not fix
Red Hat JBoss Portal Platform 6 jbossweb Will not fix
Red Hat JBoss Operations Network 3 jbossweb Will not fix
Red Hat JBoss Fuse Service Works 6 jbossweb Will not fix
Red Hat JBoss EWS 1 tomcat6 Not affected
Red Hat JBoss EWS 1 tomcat5 Not affected
Red Hat JBoss EAP 5 jbossweb Not affected
Red Hat JBoss EAP 4 jbossweb Not affected
Red Hat JBoss Data Virtualization 6 jbossweb Will not fix
Red Hat JBoss Data Grid 6 jbossweb Will not fix
Red Hat Enterprise Linux 6 tomcat6 Not affected
Red Hat Enterprise Linux 5 tomcat5 Not affected

External References

Last Modified