CVE-2016-3092
A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.
Find out more about CVE-2016-3092 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v2 metrics
| Base Score | 4.3 |
|---|---|
| Base Metrics | AV:N/AC:M/Au:N/C:N/I:N/A:P |
| Access Vector | Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | None |
| Integrity Impact | None |
| Availability Impact | Partial |
CVSS v3 metrics
| CVSS3 Base Score | 7.5 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity Impact | None |
| Availability Impact | High |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Server (tomcat7) | RHSA-2016:2807 | 2016-11-17 |
| Red Hat Enterprise Linux 7 (tomcat) | RHSA-2016:2599 | 2016-11-03 |
| Red Hat JBoss Web Server 3.1 for RHEL 6 | RHSA-2017:0455 | 2017-03-07 |
| Red Hat JBoss Web Server 3.1 | RHSA-2017:0457 | 2017-03-07 |
| Red Hat JBoss Enterprise Application Platform 6.4 | RHSA-2016:2071 | 2016-10-17 |
| Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server (tomcat7) | RHSA-2016:2807 | 2016-11-17 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jbossweb) | RHSA-2016:2068 | 2016-10-17 |
| Red Hat JBoss Web Server 3.1 for RHEL 7 | RHSA-2017:0456 | 2017-03-07 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (jbossweb) | RHSA-2016:2070 | 2016-10-17 |
| Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (jbossweb) | RHSA-2016:2069 | 2016-10-17 |
| Red Hat JBoss Web Server 2.1 | RHSA-2016:2808 | 2016-11-17 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) | RHSA-2016:2072 | 2016-10-17 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-java-common-tomcat | Not affected |
| Red Hat JBoss Web Server 3.0 | tomcat7 | Will not fix |
| Red Hat JBoss Web Server 3.0 | tomcat8 | Will not fix |
| Red Hat JBoss Portal Platform 6 | jbossweb | Will not fix |
| Red Hat JBoss Operations Network 3 | jbossweb | Will not fix |
| Red Hat JBoss Fuse Service Works 6 | jbossweb | Will not fix |
| Red Hat JBoss EWS 1 | tomcat6 | Not affected |
| Red Hat JBoss EWS 1 | tomcat5 | Not affected |
| Red Hat JBoss EAP 5 | jbossweb | Not affected |
| Red Hat JBoss EAP 4 | jbossweb | Not affected |
| Red Hat JBoss Data Virtualization 6 | jbossweb | Will not fix |
| Red Hat JBoss Data Grid 6 | jbossweb | Will not fix |
| Red Hat Enterprise Linux 6 | tomcat6 | Not affected |
| Red Hat Enterprise Linux 5 | tomcat5 | Not affected |