Lucene search

K
atlassian[email protected]ATLASSIAN:CONFSERVER-60004
HistoryJun 29, 2020 - 1:40 p.m.

Upgrade Tomcat to version 9.0.37

2020-06-2913:40:00
jira.atlassian.com
216

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

h3. Issue Summary

This vulnerability uses “(a) specially crafted sequence of HTTP/2 requests” to “trigger high CPU usage for several seconds.” A large number of these HTTP/2 requests could be used to make an application unresponsive.

h3. Versions Affected:

  • Apache Tomcat 10.0.0-M1 to 10.0.0-M5
  • Apache Tomcat 9.0.0.M1 to 9.0.35
  • Apache Tomcat 8.5.0 to 8.5.55

h3. Versions affected:

  • Apache Tomcat 10.0.0-M6 or later
  • Apache Tomcat 9.0.36 or later
  • Apache Tomcat 8.5.56 or later

h3. Notes

  • By default Confluence is configured to use an HTTP/1.1 connector and would not be vulnerable to this CVE

h3. Mitigation

  • No workaround is needed to mitigate this vulnerability.
  • If your organization determines that you cannot use a version of Tomcat that is affected by CVE-2020-11996 you can manually update the version of Tomcat used by Confluence to an unaffected version (9.0.37) as described in [How to Upgrade The Tomcat Container for Confluence|https://confluence.atlassian.com/confkb/how-to-upgrade-the-tomcat-container-for-confluence-336757062.html]
    ** Note: Manually upgrading the version of Tomcat used by Confluence is not supported. If any issues arise from making this change, Atlassian Support would first recommend going back to a supported version of Tomcat.

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

Related for ATLASSIAN:CONFSERVER-60004