https://bugzilla.redhat.com/show_bug.cgi?id=1857040
Bug ID: 1857040 Summary: CVE-2020-13934 tomcat: OutOfMemoryException caused by HTTP/2 connection leak could lead to DoS Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: jwon@redhat.com CC: aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, alee@redhat.com, almorale@redhat.com, anstephe@redhat.com, asoldano@redhat.com, atangrin@redhat.com, avibelli@redhat.com, bbaranow@redhat.com, bgeorges@redhat.com, bmaxwell@redhat.com, brian.stansberry@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, cmoulliard@redhat.com, coolsvap@gmail.com, csutherl@redhat.com, darran.lofthouse@redhat.com, dbecker@redhat.com, dkreling@redhat.com, dosoudil@redhat.com, drieden@redhat.com, etirelli@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, gzaronik@redhat.com, hhorak@redhat.com, huwang@redhat.com, ibek@redhat.com, ikanello@redhat.com, ivan.afonichev@gmail.com, iweiss@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jclere@redhat.com, jjoyce@redhat.com, jochrist@redhat.com, jolee@redhat.com, jorton@redhat.com, jpallich@redhat.com, jperkins@redhat.com, jschatte@redhat.com, jschluet@redhat.com, jstastny@redhat.com, jwon@redhat.com, kbasil@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, kverlaen@redhat.com, kwills@redhat.com, lgao@redhat.com, lhh@redhat.com, lpeer@redhat.com, lthon@redhat.com, mbabacek@redhat.com, mburns@redhat.com, mizdebsk@redhat.com, mkolesni@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, mszynkie@redhat.com, myarboro@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pgallagh@redhat.com, pjindal@redhat.com, pmackay@redhat.com, psotirop@redhat.com, rguimara@redhat.com, rhcs-maint@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, sclewis@redhat.com, scohen@redhat.com, sdaley@redhat.com, slinaber@redhat.com, smaestri@redhat.com, tom.jenkinson@redhat.com, vhalbert@redhat.com, weli@redhat.com Blocks: 1857036 Target Milestone: --- Classification: Other
A flaw was found in the Apache Tomcat, where an h2c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
It affects the version of Apache Tomcat 10.0.0-M1 to 10.0.0-M6, Apache Tomcat 9.0.0.M5 to 9.0.36, Apache Tomcat 8.5.1 to 8.5.56.
Upstream commits: Tomcat 10.0: https://github.com/apache/tomcat/commit/c9167ae30f3b03b112f3d81772e3450b7d0e... Tomcat 9.0: https://github.com/apache/tomcat/commit/172977f04a5215128f1e278a688983dcd230... Tomcat 8.5: https://github.com/apache/tomcat/commit/923d834500802a61779318911d7898bd85fc...
Reference: http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3Cad62...