Details
-
Type:
Task
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: EE-4.3.0.GA_P04, EE-3.3.0.GA_P10
-
Fix Version/s: EE-4.3.0.GA_P05, EE-3.3.0.GA_P11
-
Component/s: ACE-Components
-
Labels:None
-
Environment:Any
-
Support Case References:Support Case 14724
Description
A new vulnerability in Apache Commons FileUpload (CVE-2023-24998) was brought to our attention by a supported customer. We don't use the Apache Commons FileUpload library in a regular way, but rather we integrated its source code into our own in 2010, as per ICE-5912, with some necessary adjustments to support our ace:fileEntry component. This JIRA is for investigating how this vulnerability could affect our ace:fileEntry component and for making necessary changes to mitigate this vulnerability.
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
Added a fix to limit the number of files to be uploaded by ace:fileEntry in a single request, avoiding any further processing when the maximum has been reached. Added the org.icefaces.ace.fileEntry.fileCountMax context parameter to configure this limit, and also added a fix in Apache Commons FileUpload.
There are two code blocks that go through all the parts of the request. The first one is does the processing if the multipart-config configuration is declared in the web.xml file, under the faces servlet declaration. Otherwise, the second code block does the processing. The fix was applied to both code blocks.
These fixes were committed to both the 3.3 trunk and the 4.3 trunk.
Also added documentation for the new context parameter in the wiki: https://www.icesoft.org/wiki/display/ICE/fileEntry.fileCountMax