Question:

Does UCS contain the Tornado vulnerability described in CVE-2023-28370 -Tornado vulnerability (max\_body\_size bypass), and how is it addressed?

Answer:

Summary

CVE-2023-28370 is a vulnerability in Tornado Web Server versions prior to 6.3.3. The flaw allows attackers to bypass the max_body_size restriction when HTTP requests are sent using chunked transfer encoding. This may result in uncontrolled memory consumption and denial-of-service (DoS) conditions.

• CVE reference: CVE-2023-28370
• Univention Bugzilla: Bug 58546

Affected Product

• Univention Corporate Server (UCS)
• Tornado version 5.1.1

Fixed Versions

This issue has been resolved in the following UCS updates:

• UCS 5.2 (includes a fixed Tornado version)
• UCS 5.0-9 erratum 1199

References:

• Erratum 5.0x1199
• Debian Extended LTS Tracker – CVE-2023-28370

Impact

An attacker may exploit this flaw by sending specially crafted HTTP requests using chunked transfer encoding. This bypasses the configured max_body_size limit, potentially exhausting system memory and leading to service unavailability.

Technical Details

• Expected behavior: Tornado should enforce max_body_size restrictions regardless of the transfer encoding.
• Actual behavior: When chunked transfer encoding is used, Tornado fails to apply the restriction, allowing excessive request sizes.

Resolution

Customers are strongly advised to update their UCS systems to one of the fixed versions:

• UCS 5.2 (latest release)
• UCS 5.0-9 with erratum 1199 applied

This ensures that Tornado enforces request body size limits correctly, mitigating the risk of denial-of-service attacks