Greetings,
For those who use the Tomcat servlet container, please be mindful of the CVE
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11996> issued
today and upgrade to the latest version.
Cheers,
Jennifer
On Thu, Jun 25, 2020 at 3:56 PM Mark Thomas <markt@xxxxxxxxxx> wrote:
> CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0-M5
> Apache Tomcat 9.0.0.M1 to 9.0.35
> Apache Tomcat 8.5.0 to 8.5.55
>
> Description:
> A specially crafted sequence of HTTP/2 requests could trigger high CPU
> usage for several seconds. If a sufficient number of such requests were
> made on concurrent HTTP/2 connections, the server could become
> unresponsive.
>
> Mitigation:
> - Upgrade to Apache Tomcat 10.0.0-M6 or later
> - Upgrade to Apache Tomcat 9.0.36 or later
> - Upgrade to Apache Tomcat 8.5.56 or later
>
> Credit:
> This issue was reported publicly via the Apache Tomcat Users mailing
> list without reference to the potential for DoS. The DoS risks were
> identified by the Apache Tomcat Security Team.
>
> References:
> [1] http://tomcat.apache.org/security-10.html
> [2] http://tomcat.apache.org/security-9.html
> [3] http://tomcat.apache.org/security-8.html
>
