Is CA Sprectrum affected by Apache Tomcat vulnerability CVE-2020-17527?
search cancel

Is CA Sprectrum affected by Apache Tomcat vulnerability CVE-2020-17527?


Article ID: 204808


Updated On:


CA Spectrum CA eHealth


Is CA Spectrum affected by the Apache Tomcat vulnerability CVE-2020-17527?

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.



Spectrum 10.4.1


In order for this vulnerability to be confirmed, HTTP2 would need to be used like follows:

An HTTP/2 enabled connector would have a configuration as follows

<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"maxThreads="150" SSLEnabled="true" >
   <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
   <Certificate certificateKeyFile="conf/key.pem"
   certificateChainFile="conf/chain.pem"type="RSA" />


CA Spectrum 10.4.1 uses Tomcat version 9.0.24 which is one of the affected versions. 

However, HTTP/2 is not used in the CA Spectrum Tomcat configuration. Therefore, Spectrum is not vulnerable to this CVE.