Vulnerabilities in "commons-fileupload-1.5.jar" And Older on the Siteminder AdminUI
search cancel

Vulnerabilities in "commons-fileupload-1.5.jar" And Older on the Siteminder AdminUI

book

Article ID: 431333

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

The Siteminder AdminUI bundles Apache Commons FileUpload.

Siteminder AdminUI r12.8.7 :    Apache Commons FileUpload 1.4
Siteminder AdminUI r12.8.8 :    Apache Commons FileUpload 1.4
Siteminder AdminUI r12.8.8.1 : Apache Commons FileUpload 1.5
Siteminder AdminUI r12.9:        Apache Commons FileUpload 1.5

A number of CVE's have been published impacting Apache Commons FileUpload 1.0 - 1.5.  All of which are remediated in Apache Commons FileUpload 1.6.

This KB delivers Apache Commons FileUpload 1.6  for the Siteminder AdminUI.

Environment

PRODUCT: SiteMinder

COMPONENT: AdminUI

VERSION: R12.8.7; R12.8.8; R12.8.8.1; R12.9

OPERATING SYSTEM:  Any

Cause

The following CVE's have been published mpacting Apache Commons FileUpload 1.0 - 1.5

CVE-2025-48976

SEVERITY: Important

DESCRIPTION: Apache Commons FileUpload 1.x before 1.6.0 provides a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A specially crafted request that used a large number of parts with large headers could trigger excessive memory usage on the server leading to a DoS. This limit is now configurable (FileUploadBase#setPartHeaderSizeMax) with a default of 512 bytes

IMPACTED: Apache Commons FileUpload 1.0 - 1.5

REMEDIATED: Apache Commons FileUpload 1.6

------------------------

CVE-2023-24998

SEVERITY: Important

DESCRIPTION: Apache Commons FileUpload before 1.5 does not provide an option to limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

IMPACTED: Apache Commons FileUpload 1.0 - 1.4

REMEDIATED: Apache Commons FileUpload 1.5 and higher

 

Resolution

Upgrade Apache Commons FileUpload to 1.6 on the Siteminder AdminUI using the patch attached to this KB 

Deployment steps

1) Download "commons-fileupload-1.6.0.jar.zip" attached to this KB to the Siteminder AdminUI Server

2) Decompress "commons-fileupload-1.6.0.jar.zip" on the Siteminder AdminUI Server

3)  Stop the AdminUI services.

4)  Backup and delete the "commons-fileupload-1.x.x.jar" file.

<Install_Dir>/adminui/standalone/deployments/iam_siteminder.ear/library/commons-fileupload-1.x.x.jar

5) Copy "commons-fileupload-1.6.0.jar.zip" into the following directory

<Install_Dir>/adminui/standalone/deployments/iam_siteminder.ear/library/

6) Start the AdminUI.

Additional Information

Apache Commons FileUpload Security Vulnerabilities

 

Attachments

commons-fileupload-1.6.0.jar.zip get_app
Powered by Wolken Software