Upgrade Tomcat to version 9.0.37


h3. Issue Summary * The current version of Tomcat 9.0.33 bundled with Confluence (at least up to Confluence version 7.6) is vulnerable to HTTP/2 Denial of Service CVE-2020-11996 [https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_9.0.36] [http://mail-archives.us.apache.org/mod_mbox/www-announce/202006.mbox/%3Cfd56bc1d-1219-605b-99c7-946bf7bd8ad4%40apache.org%3E] This vulnerability uses "(a) specially crafted sequence of HTTP/2 requests" to "trigger high CPU usage for several seconds." A large number of these HTTP/2 requests could be used to make an application unresponsive. h3. Versions Affected: * Apache Tomcat 10.0.0-M1 to 10.0.0-M5 * Apache Tomcat 9.0.0.M1 to 9.0.35 * Apache Tomcat 8.5.0 to 8.5.55 h3. Versions affected: - Apache Tomcat 10.0.0-M6 or later - Apache Tomcat 9.0.36 or later - Apache Tomcat 8.5.56 or later h3. Notes * By default Confluence is configured to use an HTTP/1.1 connector and would not be vulnerable to this CVE h3. Mitigation * No workaround is needed to mitigate this vulnerability. * If your organization determines that you cannot use a version of Tomcat that is affected by CVE-2020-11996 you can manually update the version of Tomcat used by Confluence to an unaffected version (9.0.37) as described in [How to Upgrade The Tomcat Container for Confluence|https://confluence.atlassian.com/confkb/how-to-upgrade-the-tomcat-container-for-confluence-336757062.html] ** Note: Manually upgrading the version of Tomcat used by Confluence is not supported. If any issues arise from making this change, Atlassian Support would first recommend going back to a supported version of Tomcat.

Affected Software

CPE Name Name Version
confluence server and data center 7.8.0
confluence server and data center 7.5.2
confluence server and data center 7.7.4