The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
jvn.jp/en/jp/JVN89379547/index.html
jvndb.jvn.jp/jvndb/JVNDB-2016-000121
lists.opensuse.org/opensuse-updates/2016-09/msg00025.html
mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E
rhn.redhat.com/errata/RHSA-2016-2068.html
rhn.redhat.com/errata/RHSA-2016-2069.html
rhn.redhat.com/errata/RHSA-2016-2070.html
rhn.redhat.com/errata/RHSA-2016-2071.html
rhn.redhat.com/errata/RHSA-2016-2072.html
rhn.redhat.com/errata/RHSA-2016-2599.html
rhn.redhat.com/errata/RHSA-2016-2807.html
rhn.redhat.com/errata/RHSA-2016-2808.html
rhn.redhat.com/errata/RHSA-2017-0457.html
svn.apache.org/viewvc?view=revision&revision=1743480
svn.apache.org/viewvc?view=revision&revision=1743722
svn.apache.org/viewvc?view=revision&revision=1743738
svn.apache.org/viewvc?view=revision&revision=1743742
tomcat.apache.org/security-7.html
tomcat.apache.org/security-8.html
tomcat.apache.org/security-9.html
www.debian.org/security/2016/dsa-3609
www.debian.org/security/2016/dsa-3611
www.debian.org/security/2016/dsa-3614
www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
www.securityfocus.com/bid/91453
www.securitytracker.com/id/1036427
www.securitytracker.com/id/1036900
www.securitytracker.com/id/1037029
www.securitytracker.com/id/1039606
www.ubuntu.com/usn/USN-3024-1
www.ubuntu.com/usn/USN-3027-1
access.redhat.com/errata/RHSA-2017:0455
access.redhat.com/errata/RHSA-2017:0456
bugzilla.redhat.com/show_bug.cgi?id=1349468
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
security.gentoo.org/glsa/201705-09
security.gentoo.org/glsa/202107-39
security.netapp.com/advisory/ntap-20190212-0001/
www.oracle.com/security-alerts/cpuapr2020.html
www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html