search cancel

Tomcat Vulnerabilty CVE-2020-13943

book

Article ID: 202111

calendar_today

Updated On:

Products

CA Spectrum CA eHealth

Issue/Introduction

Apache Tomcat 8.5.x < 8.5.58 / 9.0.x < 9.0.38 HTTP/2 Request Mix-Up

The version of Tomcat installed on the remote host is 8.5.x prior to 8.5.58 or 9.0.x prior to 9.0.38. If an HTTP/2 client exceeds the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it is possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This can lead to users seeing responses for unexpected resources.

 

 

 

Cause

In order for this vulnerability to be confirmed, HTTP2 would need to be used like follows:

 

An HTTP/2 enabled connector would have a configuration as follows
<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"maxThreads="150" SSLEnabled="true" >
 <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
 <SSLHostConfig>
 <Certificate certificateKeyFile="conf/key.pem"
 certificateFile="conf/cert.pem"
 certificateChainFile="conf/chain.pem"type="RSA" />
 </SSLHostConfig>
</Connector>
 

Environment

Release : 20.2

Component : Spectrum Core / SpectroSERVER

Resolution

HTTP2 is not used in our Tomcat configuration.
Therefore, Spectrum is not vulnerable to this CVE.


Spectrum Connector (does not have the upgrade protocol, so it is not affected) ex

Attachments