https://bugzilla.redhat.com/show_bug.cgi?id=1857040
Bug ID: 1857040 Summary: CVE-2020-13934 tomcat: OutOfMemoryException caused by HTTP/2 connection leak could lead to DoS Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: jwon@redhat.com CC: aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, alee@redhat.com, almorale@redhat.com, anstephe@redhat.com, asoldano@redhat.com, atangrin@redhat.com, avibelli@redhat.com, bbaranow@redhat.com, bgeorges@redhat.com, bmaxwell@redhat.com, brian.stansberry@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, cmoulliard@redhat.com, coolsvap@gmail.com, csutherl@redhat.com, darran.lofthouse@redhat.com, dbecker@redhat.com, dkreling@redhat.com, dosoudil@redhat.com, drieden@redhat.com, etirelli@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, gzaronik@redhat.com, hhorak@redhat.com, huwang@redhat.com, ibek@redhat.com, ikanello@redhat.com, ivan.afonichev@gmail.com, iweiss@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jclere@redhat.com, jjoyce@redhat.com, jochrist@redhat.com, jolee@redhat.com, jorton@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jschatte@redhat.com, jschluet@redhat.com, jstastny@redhat.com, jwon@redhat.com, kbasil@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, kverlaen@redhat.com, kwills@redhat.com, lgao@redhat.com, lhh@redhat.com, lpeer@redhat.com, lthon@redhat.com, mbabacek@redhat.com, mburns@redhat.com, mizdebsk@redhat.com, mkolesni@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, mszynkie@redhat.com, myarboro@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pgallagh@redhat.com, pjindal@redhat.com, pmackay@redhat.com, psotirop@redhat.com, rguimara@redhat.com, rhcs-maint@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, sclewis@redhat.com, scohen@redhat.com, sdaley@redhat.com, slinaber@redhat.com, smaestri@redhat.com, tom.jenkinson@redhat.com, vhalbert@redhat.com, weli@redhat.com Blocks: 1857036 Target Milestone: --- Classification: Other
A flaw was found in the Apache Tomcat, where an h2c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
It affects the version of Apache Tomcat 10.0.0-M1 to 10.0.0-M6, Apache Tomcat 9.0.0.M5 to 9.0.36, Apache Tomcat 8.5.1 to 8.5.56.
Upstream commits: Tomcat 10.0: https://github.com/apache/tomcat/commit/c9167ae30f3b03b112f3d81772e3450b7d0e... Tomcat 9.0: https://github.com/apache/tomcat/commit/172977f04a5215128f1e278a688983dcd230... Tomcat 8.5: https://github.com/apache/tomcat/commit/923d834500802a61779318911d7898bd85fc...
Reference: http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3Cad62...
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
--- Comment #1 from Ted (Jong Seok) Won jwon@redhat.com --- External References:
http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3Cad62... http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
--- Comment #3 from Ted (Jong Seok) Won jwon@redhat.com --- This vulnerability is out of security support scope for the following product: * Red Hat JBoss Data Virtualization 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
--- Comment #4 from Ted (Jong Seok) Won jwon@redhat.com --- This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Data Grid 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
--- Comment #7 from Jonathan Christison jochrist@redhat.com --- Red Hat Jboss Fuse 6 ships some of the vulnerable artifacts as bundled artifacts in ops4j pax web, however there is no use of these artifacts in Fuse itself, the artifacts are also prevented from loading with a deny list in karaf, for these reasons we believe the impact upon Fuse 6.3 is low.
This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
Todd Cullum tcullum@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |cbuissar@redhat.com Flags| |needinfo?(cbuissar@redhat.c | |om)
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
--- Comment #13 from Cedric Buissart 🐶 cbuissar@redhat.com --- Statement:
Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8's Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, HTTP/2 is not enabled in such a configuration, and thus it is not possible to trigger the flaw in a supported setup. A future update may fix the code.
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
Cedric Buissart 🐶 cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1857837
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
Cedric Buissart 🐶 cbuissar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(cbuissar@redhat.c | |om) |
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
--- Comment #16 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server 5.3 on RHEL 7 Red Hat JBoss Web Server 5.3 on RHEL 6 Red Hat JBoss Web Server 5.3 on RHEL 8
Via RHSA-2020:3306 https://access.redhat.com/errata/RHSA-2020:3306
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3306
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
--- Comment #17 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server
Via RHSA-2020:3308 https://access.redhat.com/errata/RHSA-2020:3308
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3308
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2020-08-04 13:28:00
--- Comment #18 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2020-13934
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
Kunjan Rathod krathod@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Doc Type|--- |If docs needed, set a value
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1867433
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1867433 [Bug 1867433] CVE-2020-13934 tomcat: OutOfMemoryException caused by HTTP/2 connection leak could lead to DoS [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
--- Comment #19 from Doran Moppert dmoppert@redhat.com --- Created tomcat tracking bugs for this issue:
Affects: fedora-all [bug 1867433]
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
--- Doc Text *updated* by RaTasha Tillery-Smith rtillery@redhat.com --- A flaw was found in Apache Tomcat, where an h2c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests are made, an OutOfMemoryException could occur, leading to a denial of service. The highest threat from this vulnerability is to system availability.
--- Comment #22 from RaTasha Tillery-Smith rtillery@redhat.com --- Statement:
Red Hat Certificate System 10.0 and Red Hat Enterprise Linux 8's Identity Management, are using a vulnerable version of Tomcat that is bundled into the pki-servlet-engine component. However, HTTP/2 is not enabled in such a configuration, and it is not possible to trigger the flaw in a supported setup. A future update may fix the code.
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
--- Comment #23 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Runtimes Spring Boot 2.2.6
Via RHSA-2020:3806 https://access.redhat.com/errata/RHSA-2020:3806
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2020:3806
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
Huzaifa S. Sidhpurwala huzaifas@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1910709
https://bugzilla.redhat.com/show_bug.cgi?id=1857040 Bug 1857040 depends on bug 1867433, which changed state.
Bug 1867433 Summary: CVE-2020-13934 tomcat: OutOfMemoryException caused by HTTP/2 connection leak could lead to DoS [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1867433
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
--- Comment #25 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.9
Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2021:3140
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
Joshua Mulliken jmullike@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |pdrozd@redhat.com, | |sthorger@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1857040
Paramvir jindal pjindal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC|aboyko@redhat.com, | |pdrozd@redhat.com, | |sthorger@redhat.com |
java-sig-commits@lists.fedoraproject.org