CVE-2023-42794 Siemens CVE debrief

Who should care

Organizations running Siemens SINEC NMS on affected versions, Apache Tomcat administrators on Windows with file upload functionality, industrial control system operators relying on Tomcat-based web applications, and security teams responsible for resource exhaustion attack prevention in Java web environments.

Technical summary

The vulnerability exists in an internal fork of Apache Commons FileUpload packaged with specific Apache Tomcat versions. An in-progress refactoring exposed a cleanup failure: when a web application opens a stream for an uploaded file but fails to close it, the temporary file is never deleted on Windows systems. This resource leak can accumulate over time, eventually exhausting available disk space and causing denial of service. The issue is platform-specific to Windows due to file locking behavior that prevents deletion of open files.

Defensive priority

medium

Recommended defensive actions

• Upgrade Siemens SINEC NMS to version 3.0 or later per vendor guidance
• For Apache Tomcat deployments, upgrade to version 9.0.81 or later, or 8.5.94 or later
• Audit web applications for proper file stream closure after upload handling
• Monitor disk usage on Windows-based Tomcat servers for abnormal growth in temporary directories
• Review application code to ensure all InputStream/OutputStream objects from file uploads are closed in finally blocks or try-with-resources
• Apply defense-in-depth practices for industrial control systems as recommended by CISA

Evidence notes

The vulnerability description and affected product information are derived from CISA CSAF advisory ICSA-24-228-06, which identifies Siemens SINEC NMS as affected. The Apache Tomcat version ranges and remediation guidance (upgrade to 9.0.81+ or 8.5.94+) are explicitly stated in the source. CVSS 5.9 MEDIUM severity is confirmed. The CVE was published August 13, 2024, with no KEV entry present.

Official resources