In Apache Commons FileUpload, there is the vulnerability of Denial of Service (DoS). I want to know the strategy of intra-mart products.

 
In Apache Commons FileUpload, the vulnerability of Denial of Service (DoS) is released.

https://jvn.jp/en/jp/JVN89379547/index.html
(CVE-2016-3092)

For the content released on the above website, we have released appropriates patch as our measures.

Target versions are announced as follows:
Apache Commons Fileupload 1.3 to 1.3.1
Apache Commons Fileupload 1.2 to 1.2.2

Relations between iWP/iAP and Commons Fileupload versions are as follows. (However, the relations may partly vary depending on whether to apply a patch.)
iAP 8.0.x -> Commons-Fileupload 1.2/1.2.2
iWP 7.2 -> Commons-Fileupload 1.2/1.2.2
iWP 7.1 -> Commons-Fileupload 1.2
iWP 7.0 -> Commons-Fileupload 1.2
iWP 6.1 -> Commons-Fileupload 1.1.1
iWP 6.0 -> Commons-Fileupload 1.0
We verified that the vulnerability is reproduced between iAP and iWP6.1 to 7.2 and no vulnerability is reproduced in earlier versions.

○In use of intra-mart AccelPlatform products
With IM-Juggling, the target patch can be downloaded.
For details, refer to “Patching modules” in intra-mart Accel Platform Setup Guide.
The requirement is released in the following URL.
https://issue.intra-mart.jp/issues/23462

○In use of intra-mart WebPlatform/AppFramework products
Appropriate patches can be downloaded from the following URLs.
iWP 7.2: http://newsupport.intra-mart.jp/patch/download/patch_info.php?patch_cd=1336 (Japanese)
iWP 7.1: http://newsupport.intra-mart.jp/patch/download/patch_info.php?patch_cd=1337 (Japanese)
iWP 7.0: http://newsupport.intra-mart.jp/patch/download/patch_info.php?patch_cd=1338 (Japanese)
iWP 6.1: http://newsupport.intra-mart.jp/patch/download/patch_info.php?patch_cd=1339 (Japanese)

○Workaround other than patch application
Until a patch is applied, the following workaround can mitigate the effects of this vulnerability.

・Limiting the size of the HTTP request header.

-- Target ------------------------------------------------------------------------
iWP/Web System Construction Platform/WebPlatform/AppFramework
iAP/Accel Platform/All Updates
--------------------------------------------------------------------------------


FAQID:727
Was this article helpful?
0 out of 0 found this helpful
Powered by Zendesk