Symantec Identity Manager - Connector Xpress 2.0 Apache Tomcat 9.0.0.M1 < 9.0.20 DoS Vulnerability. CVE-2019-10072 / CVE-2020-11996
search cancel

Symantec Identity Manager - Connector Xpress 2.0 Apache Tomcat 9.0.0.M1 < 9.0.20 DoS Vulnerability. CVE-2019-10072 / CVE-2020-11996

book

Article ID: 252315

calendar_today

Updated On:

Products

CA Identity Suite CA Identity Manager

Issue/Introduction

A recent Vulnerability scan has shown the below two vulnerabilities against Connector Xpress 2.0.

 

1. CVE-2019-10072

Apache Tomcat 9.0.0.M1 < 9.0.20 DoS Installed version : 9.0.13 Fixed version : 9.0.20

SI-2,126245,Not Compliant,,,32,08-13-22,09-14-22,04-11-22,,<ip_address>,<hostname>,Server,CA Identity Suite - Remote Tools_Management,Windows 2016,20421,TCP,,High,,7.5,ITBSA Findings,<username>,ITBSA.FINDINGS,Apache Tomcat 9.0.0.M1 < 9.0.20 DoS,The remote Apache Tomcat server is affected by a denial of service vulnerability,"The version of Tomcat installed on the remote host is prior to 9.0.20. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.20_security-9 advisory. - The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write. By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-10072) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.",Upgrade to Apache Tomcat version 9.0.20 or later.,"Installed version : 9.0.13 Fixed version : 9.0.20"

2. CVE-2020-11996

Apache Tomcat 9.0.13 < 9.0.63 vulnerability Installed version : 9.0.13 Fixed version : 9.0.63

SI-2,138098,Not Compliant,,,32,08-13-22,09-14-22,04-11-22,,<ip_address>,<hostname>,Server,CA Identity Suite - Remote Tools_Management,Windows 2016,20421,TCP,2020-A-0292-S,High,CAT I,7.5,ITBSA Findings,<username>,ITBSA.FINDINGS,Apache Tomcat 9.0.0.M1 < 9.0.36 DoS,The remote Apache Tomcat server is affected by a denial of service vulnerability.,"The version of Tomcat installed on the remote host is prior to 9.0.36. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.36_security-9 advisory. - A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. (CVE-2020-11996) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.",Upgrade to Apache Tomcat version 9.0.36 or later.,"Installed version : 9.0.13 Fixed version : 9.0.36",

Environment

Release : 14.4

Resolution

Symantec Identity Manager 14.4CP2 will remediate this issue which will be Apache Tomcat version 9.0.64.

Additional Information

Apache Tomcat cannot be manually updated as it is laid down by the installer and performing a manual update of Tomcat will break the application.

Powered by Wolken Software