The servlet engine only reads the uploaded byte stream and hands it to the servlet code (which presumably does nothing more than save it to disk). So I don't think there is much potential for trouble there.
If you want to make sure that it is a valid image file you'd have to try to open it, using javax.imageio.ImageIO or something similar, which is more problematic. You could do that under a ClassLoader and SecurityManager that implement very tight permissions (nothing more than reading a file from the directory where you store the uploaded files).
If you really want to check for virusues, you can delegate to the host machine for this. If the server your servlet container is on has an on access virus scanner, it is easy enough to persist the uploaded file to disk then read it back. If the virus scanner quarentines the file, you will not be able to read it. Its tricky to convey to the client what has gone wrong this way however. [ July 28, 2008: Message edited by: Paul Sturrock ]