Tomcat Vulnerabilities - CVE-2020-11996, CVE-2020-13934, CVE-2020-13935

book

Article ID: 195401

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

Tomcat Vulnerabilities - CVE-2020-11996, CVE-2020-13934, CVE-2020-13935

CVE-2020-11996 (Oneclick does not use HTTP/2)
Apache Tomcat HTTP/2 Denial of Service.
The Apache Software Foundation has addressed a vulnerability in affected versions of Apache Tomcat. A specially crafted sequence
  of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent
  HTTP/2 connections, the server could become unresponsive.

CVE-2020-13934 (Oneclick does not use HTTP/2 and therefore is not affected by this)
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the
 HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException
  could occur leading to a denial of service.

CVE-2020-13935 
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36,
  8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload
  lengths could lead to a denial of service.

Environment

Release : 10.4.2 and below

Component : Spectrum OneClick

Resolution

The Spectrum_10.04.02.PTF_10.4.206a patch for Spectrum 10.4.2 updates tomcat to version 9.0.37 which addresses these vulnerabilities.

Spectrum 10.4.2.1 updates tomcat to 9.0.37 which addresses these vulnerabilities.

Spectrum 10.5.0 will also include tomcat 9.0.37 when released. No specific release date at the time this knowledge article was published.