ICEfaces
  1. ICEfaces
  2. ICE-11550

Address the vulnerability CVE-2023-24998

    Details

    • Type: Task Task
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: EE-4.3.0.GA_P04, EE-3.3.0.GA_P10
    • Component/s: ACE-Components
    • Labels:
      None
    • Environment:
      Any
    • Support Case References:
      Support Case 14724

      Description

      A new vulnerability in Apache Commons FileUpload (CVE-2023-24998) was brought to our attention by a supported customer. We don't use the Apache Commons FileUpload library in a regular way, but rather we integrated its source code into our own in 2010, as per ICE-5912, with some necessary adjustments to support our ace:fileEntry component. This JIRA is for investigating how this vulnerability could affect our ace:fileEntry component and for making necessary changes to mitigate this vulnerability.

        Activity

        Hide
        Arturo Zambrano added a comment - - edited

        Added a fix to limit the number of files to be uploaded by ace:fileEntry in a single request, avoiding any further processing when the maximum has been reached. Added the org.icefaces.ace.fileEntry.fileCountMax context parameter to configure this limit, and also added a fix in Apache Commons FileUpload.

        There are two code blocks that go through all the parts of the request. The first one is does the processing if the multipart-config configuration is declared in the web.xml file, under the faces servlet declaration. Otherwise, the second code block does the processing. The fix was applied to both code blocks.

        These fixes were committed to both the 3.3 trunk and the 4.3 trunk.

        Also added documentation for the new context parameter in the wiki: https://www.icesoft.org/wiki/display/ICE/fileEntry.fileCountMax

        Show
        Arturo Zambrano added a comment - - edited Added a fix to limit the number of files to be uploaded by ace:fileEntry in a single request, avoiding any further processing when the maximum has been reached. Added the org.icefaces.ace.fileEntry.fileCountMax context parameter to configure this limit, and also added a fix in Apache Commons FileUpload. There are two code blocks that go through all the parts of the request. The first one is does the processing if the multipart-config configuration is declared in the web.xml file, under the faces servlet declaration. Otherwise, the second code block does the processing. The fix was applied to both code blocks. These fixes were committed to both the 3.3 trunk and the 4.3 trunk. Also added documentation for the new context parameter in the wiki: https://www.icesoft.org/wiki/display/ICE/fileEntry.fileCountMax

          People

          • Assignee:
            Arturo Zambrano
            Reporter:
            Arturo Zambrano
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: