CVE-2023-42794 - Incomplete Cleanup Vulnerability in Apache Tomcat: Potential DoS on Windows

Recently, a security vulnerability has been discovered in Apache Tomcat versions 9..70 through 9..80 and 8.5.85 through 8.5.93. Known as CVE-2023-42794, this incomplete cleanup vulnerability can cause a potential denial of service (DoS) on Windows systems under particular circumstances.

Background

Apache Tomcat is a widely used open-source Java Servlet Container that provides a pure Java HTTP web server environment for running Java code. Applications that use Apache Tomcat, specifically the bundled Commons FileUpload, may be affected by this vulnerability.

This vulnerability arose from an internal fork of Commons FileUpload which came with the aforementioned Apache Tomcat versions. The fork contained an unreleased, in-progress refactoring that unintentionally exposed a potential DoS situation on Windows systems.

What is the vulnerability?

The vulnerability occurs when a web application on the affected Apache Tomcat versions opens a stream for an uploaded file but fails to close the stream properly. As a result, the file will remain on the disk and never be deleted. Over time, this can potentially cause a DoS due to the disk eventually becoming full. The issue affects only Windows systems as the cleanup process is different on other operating systems.

The following code snippet illustrates the problematic scenario: (*not the actual code*)

uploadedFile = <some input>
try {
   fileStream = uploadedFile.openStream()
   // Do some operation with the fileStream
} finally {
   // Missing fileStream.close() which causes the vulnerability
}

While this code snippet uses finally block to ensure that some cleanup operation happens, the actual issue is that fileStream.close() is missing from it, leaving the uploaded file lingering on the disk.

Solution and Recommendations

Users of Apache Tomcat are strongly recommended to update their installations to versions 9..81 onwards or 8.5.94 onwards, as these versions contain a fix for the incomplete cleanup vulnerability.

- Apache Tomcat 9..81: https://archive.apache.org/dist/tomcat/tomcat-9/v9..81/
- Apache Tomcat 8.5.94: https://archive.apache.org/dist/tomcat/tomcat-8/v8.5.94/

If for any reason, you cannot update to the latest versions, make sure that your web applications properly close the file streams for uploaded files in order to avoid the potential accumulation of files leading to a DoS situation.

References

- Apache Tomcat Security Advisory http://tomcat.apache.org/security-9.html
- Apache Commons FileUpload https://commons.apache.org/proper/commons-fileupload/
- CVE Details https://www.cvedetails.com/cve/CVE-2023-42794

By taking the necessary steps to update and ensure proper file stream handling, users of Apache Tomcat can protect their applications and environments against this Incomplete Cleanup vulnerability and potential denial of service situations.

Timeline

Published on: 10/10/2023 18:15:18 UTC
Last modified on: 10/16/2023 14:00:56 UTC