CVE-2023-42794 Overview
CVE-2023-42794 is an Incomplete Cleanup vulnerability (CWE-459) affecting Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat contains an unreleased, in-progress refactoring that exposed a potential denial of service on Windows systems. When a web application opens a stream for an uploaded file but fails to close the stream properly, the file is never deleted from disk. This creates the possibility of an eventual denial of service due to disk space exhaustion.
Critical Impact
Windows-based Apache Tomcat deployments are vulnerable to disk exhaustion attacks when file upload streams are not properly closed, potentially leading to complete denial of service as disk space fills with orphaned temporary files.
Affected Products
- Apache Tomcat 9.0.70 through 9.0.80
- Apache Tomcat 8.5.85 through 8.5.93
- Other End-of-Life (EOL) versions may also be affected
Discovery Timeline
- 2023-10-10 - CVE CVE-2023-42794 published to NVD
- 2025-10-29 - Last updated in NVD database
Technical Details for CVE-2023-42794
Vulnerability Analysis
This vulnerability stems from incomplete cleanup operations within Apache Tomcat's internal fork of Commons FileUpload. The issue specifically affects Windows environments due to how the operating system handles file locking. When a web application processes file uploads and opens an input stream to read the uploaded file content, but fails to properly close that stream before the request completes, the temporary file remains locked by the operating system. Unlike POSIX-compliant systems where files can be deleted even when open, Windows prevents deletion of files that have open handles.
The vulnerability was introduced during an unreleased refactoring effort within the Commons FileUpload component bundled with Tomcat. This incomplete code change altered how temporary file cleanup was handled, creating a code path where file deletion could silently fail without proper error handling or retry mechanisms.
Root Cause
The root cause is CWE-459 (Incomplete Cleanup), where the application fails to ensure that temporary uploaded files are properly deleted when streams remain open. The internal refactoring of Commons FileUpload introduced a regression that bypassed the normal cleanup logic under specific conditions. On Windows systems, when an application holds an open stream to an uploaded file, the file system prevents deletion of that file, and the affected Tomcat versions did not properly handle this scenario or queue the file for later cleanup.
Attack Vector
The attack vector is network-based, allowing remote attackers to exploit this vulnerability without authentication. An attacker can repeatedly upload files to a vulnerable Tomcat web application that improperly handles file stream closure. Each failed cleanup leaves an orphaned temporary file on the Windows server's disk. Over time, these accumulated files can exhaust available disk space, leading to a denial of service condition that affects not only the Tomcat application but potentially other services running on the same server.
The attack requires high complexity to execute successfully because it depends on the target web application having a specific bug where uploaded file streams are opened but not closed. However, once such an application is identified, the exploitation itself is straightforward through repeated file uploads.
Detection Methods for CVE-2023-42794
Indicators of Compromise
- Unusual accumulation of temporary files in Tomcat's work directory or system temp directories
- Steadily decreasing disk space on Windows servers running Tomcat without corresponding application activity
- Application logs showing file deletion failures or IOException related to file operations
- Presence of orphaned .tmp files in upload directories that persist beyond request lifecycles
Detection Strategies
- Monitor disk space utilization trends on Windows servers hosting Apache Tomcat instances
- Implement file system auditing to track temporary file creation and deletion patterns
- Review application logs for stream closure exceptions or file handle leaks
- Use application performance monitoring tools to detect unclosed resource handles
Monitoring Recommendations
- Configure alerts for disk space thresholds on affected servers (recommend warning at 80%, critical at 90%)
- Implement periodic cleanup scripts to identify and remove orphaned temporary files older than expected request durations
- Monitor the count of open file handles for Tomcat processes to detect potential stream leaks
- Review application code for proper try-with-resources patterns or explicit stream closure in file upload handlers
How to Mitigate CVE-2023-42794
Immediate Actions Required
- Upgrade Apache Tomcat 9.x installations to version 9.0.81 or later
- Upgrade Apache Tomcat 8.5.x installations to version 8.5.94 or later
- Review web applications for proper file upload stream handling and ensure all streams are closed
- Monitor disk space on Windows servers running vulnerable Tomcat versions until patching is complete
Patch Information
Users are recommended to upgrade to Apache Tomcat version 9.0.81 or later for the 9.x branch, or version 8.5.94 or later for the 8.5.x branch. These versions include fixes for the incomplete cleanup issue in the internal Commons FileUpload fork. The patch ensures proper cleanup of temporary files even when application code fails to close upload streams. For detailed information, refer to the Apache Mailing List Discussion.
Workarounds
- Audit and fix all web application code to ensure proper closure of file upload input streams using try-with-resources or explicit finally blocks
- Implement scheduled tasks to clean up orphaned temporary files in Tomcat work directories
- Consider deploying on Linux/Unix systems where file deletion is not blocked by open handles
- Implement disk quota monitoring and alerts to detect potential abuse before complete exhaustion
# Configuration example
# Scheduled cleanup script for Windows Tomcat servers
# Run this as a scheduled task to remove orphaned temp files older than 24 hours
# PowerShell script to clean orphaned temporary files
# Get-ChildItem -Path "C:\path\to\tomcat\work" -Recurse -File |
# Where-Object { $_.LastWriteTime -lt (Get-Date).AddHours(-24) } |
# Remove-Item -Force -ErrorAction SilentlyContinue
# Monitor disk space and alert if below threshold
# $disk = Get-WmiObject Win32_LogicalDisk -Filter "DeviceID='C:'"
# $freePercent = ($disk.FreeSpace / $disk.Size) * 100
# if ($freePercent -lt 20) { Write-Warning "Disk space critically low" }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
