Tornado Excessive Logging Vulnerability in Multipart Form Data Parsing Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in Tornado, a Python web framework, in all versions prior to 6.5.0. The issue arises in the 'multipart/form-data' parser, which, upon encountering certain errors, logs a warning but continues to process the remaining data. This behavior enables remote attackers to create a high volume of log entries, exacerbating the denial-of-service condition due to Tornado's synchronous logging system. The vulnerable parser is enabled by default.

Impact

Exploitation of this vulnerability leads to excessive logging, causing a denial-of-service condition by overwhelming the application's log management system.

Reproduction

The vulnerability can be reproduced by sending malformed 'multipart/form-data' that triggers parsing errors. The default behavior of the Tornado server will log warnings about the errors but continue processing the data, allowing for the generation of excessive log entries.

Remediation

Users are advised to upgrade to Tornado version 6.5.0 or later. For those unable to upgrade, a temporary workaround is to block 'Content-Type: multipart/form-data' at the proxy level.