Tomcat Vulnerabilities - CVE-2020-11996, CVE-2020-13934, CVE-2020-13935
CVE-2020-11996 (Oneclick does not use HTTP/2)
Apache Tomcat HTTP/2 Denial of Service.
The Apache Software Foundation has addressed a vulnerability in affected versions of Apache Tomcat. A specially crafted sequence
of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent
HTTP/2 connections, the server could become unresponsive.
(Oneclick does not use HTTP/2 and therefore is not affected by this)
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the
HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException
could occur leading to a denial of service.
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36,
8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload
lengths could lead to a denial of service.
Release : 10.4.2 and below
Component : Spectrum OneClick
The Spectrum_10.04.02.PTF_10.4.206a patch for Spectrum 10.4.2 updates tomcat to version 9.0.37 which addresses these vulnerabilities.
Spectrum 10.4.2.1 updates tomcat to 9.0.37 which addresses these vulnerabilities.
Spectrum 10.5.0 will also include tomcat 9.0.37 when released. No specific release date at the time this knowledge article was published.