-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2014-037

Title: Apache Tomcat Update  [1]

Version history:
09.04.2014 Initial publication


Summary
=======
It was possible to craft a malformed Content-Type header for a multipart request that caused Apache Tomcat to enter an infinite loop. A malicious user could, therefore, craft a malformed request that triggered a denial of service.

CVE numbers:  CVE-2014-0050   CVSS v2 Base Score:5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P) [2]

Affected Versions
=================

Apache Tomcat 8.0.0-RC1-8.0.1, version 8.0.2 is not included in the list of affected versions.

Original Details
================


The root cause of this error was a bug in Apache Commons FileUpload. Tomcat 8 uses a packaged renamed copy of Apache Commons FileUpload to implement the requirement of the Servlet 3.0 and later specifications to support the processing of mime-multipart requests. Tomcat 8 was therefore affected by this issue.



What can you do?
================

This was fixed in revision 1565163. [3]

Any case, version 8.0.3 and 8.0.5 are available and not affected by this issue. 

Take in account than the patch could be distribution dependent and affect several products based on Tomcat:

REDHAT https://access.redhat.com/security/cve/CVE-2014-0050
DEBIAN http://www.debian.org/security/2014/dsa-2897 
UBUNTU http://www.ubuntu.com/usn/usn-2130-1/

What to tell your users
=======================

N/A

More information
================
[1]  http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.3
[2]  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050
[3]  http://svn.apache.org/viewvc?view=revision&revision=1565163

Best regards,

CERT-EU Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
Privacy Statement:
http://cert.europa.eu/cert/plainedition/en/cert_privacy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJTRWL5AAoJEPpzpNLI8SVoVTUP+gMccjAeyExhZ8t1VkznYgR5
jH2sCp4WfwaQawFlKNKzlj2CBXQi6KFm3AA0E78K2y5G8sxJmjWbHceA0gxuc1sx
NWr3QJ+Kgve6BP69aUkYNBfJ/z4Kw5oX8BHQ9Sfc0CENcBkrYe5ROBzfeunvtfnc
hJHlvNNAwtGhqsp0mEfkkvfmrqxQlimNWEcSL+iJGlM8/4s4Kbm+XMn5SEZc9t8a
J1qcz8O2DZ93BY8qjs5w9laJgdgostZyoaiVDD+OTjN9KR8M+JR5G//UPFfj5x1K
wEeseZm5xo5YI8YUC2rNiHCYK/kuPADAzLNYJc0OdvPLHrSUZgUmL6SPNVkSX/vD
rTB49phvgdwob6L508gfY1kok4NpJ/9bQRyvenJwG2ScXuuF9U4iXsgfHDOxpJpW
aEni5FJEHEIjOKE30Ts+YALYAhtFdq0xnLgFeebG+pr667CkJJmnvdyqV4jMoEFt
tpzVaFPixHrOEVnpbtFyovB5viaK0k9wHB8GYHKnxtGGepgF5RrldSYWqGcIsn8J
K98LsancyLrIPIRxnR/9I9pqOeXxaKy8p0rADB6UHSnJngsKKdbk39y+GnvfDNCU
xHFqQniLp9cKUyZQvUFEoOZC+wPFhv2tIPR9TK9XdOSUvCGu472tFAiClK5RpIRs
logxSMLN3ZKBp23hZu+2
=/BvG
-----END PGP SIGNATURE-----