The vulnerability (CVE-2016-3092) of denial-of-service (DoS) is released in Apache Commons FileUpload.
https://jvn.jp/jp/JVN89379547/
We released our handling patch for the content released above.
Apache Commons FileUpload announces the target version is as follows.
Apache Commons Fileupload 1.3 to 1.3.1
Apache Commons Fileupload 1.2 to 1.2.2
The version relationship between iWP/iAP and Commons Fileupload is as follows. (The contents will be changed partly with or without the patch.)
iAP 8.0.x -> Commons-Fileupload 1.2 / 1.2.2
iWP 7.2 -> Commons-Fileupload 1.2 / 1.2.2
iWP 7.1 -> Commons-Fileupload 1.2
iWP 7.0 -> Commons-Fileupload 1.2
iWP 6.1 -> Commons-Fileupload 1.1.1
iWP 6.0 -> Commons-Fileupload 1.0
We have confirmed that it occurs between iAP and iWP6.1 to 7.2 again and it does not occur in the earlier version.
○When you are using intra-mart AccelPlatform
The target patch can be downloaded with IM-Juggling.
For details, please refer to “Applying module patch” in intra-mart AccelPlatform Setup Guide.
The requirement is released in the following.
https://issue.intra-mart.jp/issues/23462
○When you are using intra-mart WebPlatform/AppFramework
Handling patches can be downloaded from following.
iWP 7.2: http://newsupport.intra-mart.jp/patch/download/patch_info.php?patch_cd=1336 (Japanese)
iWP 7.1: http://newsupport.intra-mart.jp/patch/download/patch_info.php?patch_cd=1337 (Japanese)
iWP 7.0: http://newsupport.intra-mart.jp/patch/download/patch_info.php?patch_cd=1338 (Japanese)
iWP 6.1: http://newsupport.intra-mart.jp/patch/download/patch_info.php?patch_cd=1339 (Japanese)
○The workaround without applying patch
The effect of this vulnerability can be reduced with applying a workaround below by applying patch.
Limit the size of HTTP request header
-- Target ------------------------------------------------------------------------
iAP/Accel Platform/All Updates
iWP/Web System Construction Platform /WebPlatform/AppFramework
--------------------------------------------------------------------------------
FAQID:611