Uploaded image for project: 'Bitbucket Data Center'
  1. Bitbucket Data Center
  2. BSERV-13676

Upgrade Apache Tomcat to 9.0.71

    XMLWordPrintable

Details

    • 26
    • We collect Bitbucket feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      The primary motivation for the upgrade is this:

      CVE-2023-24998 Apache Tomcat - FileUpload DoS with excessive parts

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1
Apache Tomcat 10.1.0-M1 to 10.1.4
Apache Tomcat 9.0.0-M1 to 9.0.70
Apache Tomcat 8.5.0 to 8.5.84

Description:
Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload
to provide the file upload functionality defined in the Jakarta Servlet
specification. Apache Tomcat was, therefore, also vulnerable to the
Apache Commons FileUpload vulnerability CVE-2023-24998 as there was no
limit to the number of request parts processed. This resulted in the
possibility of an attacker triggering a DoS with a malicious upload or
series of uploads.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M3 or later when released
- Upgrade to Apache Tomcat 10.1.5 or later
- Upgrade to Apache Tomcat 9.0.71 or later
- Upgrade to Apache Tomcat 8.5.85 or later
- Note 11.0.0-M2 was not released

      It should be noted that, unrelated to the above change, there is a behaviour change in Tomcat 9.0.71: https://bz.apache.org/bugzilla/show_bug.cgi?id=66196
      Essentially where previously characters outside the ISO-8859-1 character set could be added to header values, and maybe somewhere else it would break (or work). However as of Tomcat 9.0.71 such characters result in the header being dropped and a warning logged, for example:

      The HTTP response header [.......] with value [......] has been removed from the response because it is invalid

      This actually required some work in Bitbucket to avoid. For Git archive downloads the filename was being sent via a Content-Disposition header. We used the technique described in RFC 8187 to send an additional "filename*" field in the header that contains the non-ASCII characters encoded. However the standard "filename" field was still being populated with the original string that still contained non-ASCII characters.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. BSERV-13675 Upgrade Commons FileUpload for CVE-2023-24998

          • Low - Low priority issues
          • Closed

          Activity

            People

              Unassigned Unassigned
              behumphreys Ben Humphreys
              Votes:
              4 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: