510249 – Eclipse Kura uses a vulnerable version of Apache Commons Fileupload

Bug 510249 - Eclipse Kura uses a vulnerable version of Apache Commons Fileupload

Summary: Eclipse Kura uses a vulnerable version of Apache Commons Fileupload

Status:	RESOLVED FIXED

Alias:	None

Product:	Kura
Classification:	IoT
Component:	Core (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P3 major
Target Milestone:	---
Assignee:	Project Inbox
QA Contact:

URL:
Whiteboard:
Keywords:	security

Depends on:
Blocks:

Reported:	2017-01-11 06:02 EST by Benjamin Cabé
Modified:	2019-03-27 06:16 EDT (History)
CC List:	5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Benjamin Cabé

2017-01-11 06:02:44 EST

Eclipse Kura is affected by CVE-2014-0050 and CVE-2013-0248 due to the use of Apache FileUpload 1.2.2.
While Eclipse Kura gateways probably often don’t expose their web interface to malicious users in the first place, this is still a serious issue and could cause devices to become unresponsive if they don't have any watchdog mechanism in place.
 
Updating the code to use a version greater than 1.3.2 for FileUpload would remove the vulnerability.
 
[1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050
[2] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0248

Comment 1 David Woodard

2017-04-05 11:31:10 EDT

Hello,

This issue has been addressed with this issue [1] and this pull request [2]. The updates will be included in the next release of Kura.

[1] https://github.com/eclipse/kura/issues/1282
[2] https://github.com/eclipse/kura/pull/1285

Thanks,
--Dave

Comment 2 Matteo Maiero

2019-03-27 06:16:12 EDT

This has been resolved in 2017