Bug 1857024 (CVE-2020-13935)
| Summary: | CVE-2020-13935 tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Ted Jongseok Won <jwon> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aileenc, akoufoud, alazarot, alee, almorale, anstephe, asoldano, atangrin, avibelli, bbaranow, bgeorges, bihu, bmaxwell, brian.stansberry, cbuissar, cdewolf, chazlett, cmoulliard, coolsvap, csutherl, darran.lofthouse, dbecker, dkreling, dosoudil, drieden, etirelli, ggaughan, gmalinko, gzaronik, hhorak, huwang, ibek, ikanello, ivan.afonichev, iweiss, janstey, java-sig-commits, jawilson, jbalunas, jclere, jjoyce, jlyle, jochrist, jolee, jorton, jpallich, jperkins, jschatte, jschluet, jstastny, jwon, kbasil, krathod, krzysztof.daniel, kverlaen, kwills, lgao, lhh, lpeer, lthon, mbabacek, mburns, mizdebsk, mkolesni, mnovotny, msochure, msvehla, mszynkie, mulliken, myarboro, nbhumkar, nwallace, paradhya, pgallagh, pjindal, pmackay, psotirop, rguimara, rhcs-maint, rhel8-maint, rpelisse, rrajasek, rruss, rstancel, rsvoboda, rsynek, sclewis, scohen, sdaley, slinaber, smaestri, tom.jenkinson, vhalbert, weli, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | tomcat 10.0.0-M7, tomcat 9.0.37, tomcat 8.5.57, tomcat 7.0.105 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-08-04 13:27:50 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1857460, 1857461, 1857497, 1858315, 1861193, 1867432, 1910710 | ||
| Bug Blocks: | 1857013 | ||
|
Description
Ted Jongseok Won
2020-07-15 00:41:10 UTC
External References: http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105 This vulnerability is out of security support scope for the following product: * Red Hat JBoss Data Virtualization 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Data Grid 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. Red Hat Jboss Fuse 6 ships some of the vulnerable artifacts as bundled artifacts in ops4j pax web, however there is no use of these artifacts in Fuse itself, the artifacts are also prevented from loading with a deny list in karaf, for these reasons we believe the impact upon Fuse 6.3 is low. This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This vulnerability is out of security support scope for the following product: * Red Hat Software Collections Common Java Packages Please see https://access.redhat.com/support/policy/updates/rhscl and https://access.redhat.com/support/policy/updates/rhscl-rhel7 for more details Red Hat OpenStack Platform 13 is affected as it ships tomcat-embed-websockets 8.0.46, which does not include the check for `payloadLength < 0` in `processRemainingHeader()`. Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. Changing OpenStack Platform 13 to affected/wontfix as we ship the vulnerable code but it is not used by default. This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2020:3303 https://access.redhat.com/errata/RHSA-2020:3303 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2020:3305 https://access.redhat.com/errata/RHSA-2020:3305 This issue has been addressed in the following products: Red Hat JBoss Web Server 5.3 on RHEL 7 Red Hat JBoss Web Server 5.3 on RHEL 6 Red Hat JBoss Web Server 5.3 on RHEL 8 Via RHSA-2020:3306 https://access.redhat.com/errata/RHSA-2020:3306 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2020:3308 https://access.redhat.com/errata/RHSA-2020:3308 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13935 Statement: Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8's Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there are no entry point for WebSockets, and thus it is not possible to trigger the flaw in a supported setup. A future update may fix the code. Similarly, Red Hat OpenStack Platform 13 does not ship with websocket functionality enabled by default. Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1867432] This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 async Via RHSA-2020:3382 https://access.redhat.com/errata/RHSA-2020:3382 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2020:3383 https://access.redhat.com/errata/RHSA-2020:3383 This issue has been addressed in the following products: Red Hat Runtimes Spring Boot 2.2.6 Via RHSA-2020:3806 https://access.redhat.com/errata/RHSA-2020:3806 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:4004 https://access.redhat.com/errata/RHSA-2020:4004 This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140 This issue has been addressed in the following products: EAP 6.4.24 release Via RHSA-2022:5458 https://access.redhat.com/errata/RHSA-2022:5458 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2022:5459 https://access.redhat.com/errata/RHSA-2022:5459 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2022:5460 https://access.redhat.com/errata/RHSA-2022:5460 |