Bug 1857024 (CVE-2020-13935) - CVE-2020-13935 tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS
Summary: CVE-2020-13935 tomcat: multiple requests with invalid payload length in a Web...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-13935
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1857460 1857461 1857497 1858315 1861193 1867432 1910710
Blocks: 1857013
TreeView+ depends on / blocked
 
Reported: 2020-07-15 00:41 UTC by Ted Jongseok Won
Modified: 2022-06-30 19:11 UTC (History)
95 users (show)

Fixed In Version: tomcat 10.0.0-M7, tomcat 9.0.37, tomcat 8.5.57, tomcat 7.0.105
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-08-04 13:27:50 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:4122 0 None None None 2020-09-30 11:18:50 UTC
Red Hat Product Errata RHBA-2020:4123 0 None None None 2020-09-30 11:06:12 UTC
Red Hat Product Errata RHBA-2020:4124 0 None None None 2020-09-30 11:05:36 UTC
Red Hat Product Errata RHBA-2020:4169 0 None None None 2020-10-05 10:46:59 UTC
Red Hat Product Errata RHBA-2020:4241 0 None None None 2020-10-13 15:45:44 UTC
Red Hat Product Errata RHBA-2020:4345 0 None None None 2020-10-26 16:00:36 UTC
Red Hat Product Errata RHSA-2020:3303 0 None None None 2020-08-04 11:14:04 UTC
Red Hat Product Errata RHSA-2020:3305 0 None None None 2020-08-04 11:17:46 UTC
Red Hat Product Errata RHSA-2020:3306 0 None None None 2020-08-04 11:35:40 UTC
Red Hat Product Errata RHSA-2020:3308 0 None None None 2020-08-04 11:40:08 UTC
Red Hat Product Errata RHSA-2020:3382 0 None None None 2020-08-10 11:21:51 UTC
Red Hat Product Errata RHSA-2020:3383 0 None None None 2020-08-10 11:34:23 UTC
Red Hat Product Errata RHSA-2020:3806 0 None None None 2020-09-23 16:27:35 UTC
Red Hat Product Errata RHSA-2020:4004 0 None None None 2020-09-29 20:31:09 UTC
Red Hat Product Errata RHSA-2021:3140 0 None None None 2021-08-11 18:25:54 UTC
Red Hat Product Errata RHSA-2022:5458 0 None None None 2022-06-30 18:34:43 UTC
Red Hat Product Errata RHSA-2022:5459 0 None None None 2022-06-30 18:56:08 UTC
Red Hat Product Errata RHSA-2022:5460 0 None None None 2022-06-30 19:11:09 UTC

Description Ted Jongseok Won 2020-07-15 00:41:10 UTC
A flaw was found in the Apache Tomcat, where the payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

It affects the version of Apache Tomcat 10.0.0-M1 to 10.0.0-M6, Apache Tomcat 9.0.0.M1 to 9.0.36, Apache Tomcat 8.5.0 to 8.5.56, and Apache Tomcat 7.0.27 to 7.0.104.

Upstream commits:

Tomcat 10.0: https://github.com/apache/tomcat/commit/1c1c77b0efb667cea80b532440b44cea1dc427c3
Tomcat 9.0: https://github.com/apache/tomcat/commit/40fa74c74822711ab878079d0a69f7357926723d
Tomcat 8.5: https://github.com/apache/tomcat/commit/12d715676038efbf9c728af10163f8277fc019d5
Tomcat 7.0: https://github.com/apache/tomcat/commit/f9f75c14678b68633f79030ddf4ff827f014cc84, https://github.com/apache/tomcat/commit/4c04982870d6e730c38e21e58fb653b7cf723784

Reference: http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E

Comment 3 Ted Jongseok Won 2020-07-15 00:54:36 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Data Virtualization 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 4 Ted Jongseok Won 2020-07-15 03:19:39 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat Data Grid 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 8 Jonathan Christison 2020-07-15 10:55:10 UTC
Red Hat Jboss Fuse 6 ships some of the vulnerable artifacts as bundled artifacts in ops4j pax web, however there is no use of these artifacts in Fuse itself, the artifacts are also prevented from loading with a deny list in karaf, for these reasons we believe the impact upon Fuse 6.3 is low.

This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 11 Todd Cullum 2020-07-15 22:12:59 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat Software Collections Common Java Packages

Please see https://access.redhat.com/support/policy/updates/rhscl and https://access.redhat.com/support/policy/updates/rhscl-rhel7 for more details

Comment 15 Anten Skrabec 2020-07-16 12:40:18 UTC
Red Hat OpenStack Platform 13 is affected as it ships tomcat-embed-websockets 8.0.46, which does not include the check for `payloadLength < 0` in `processRemainingHeader()`.

Comment 21 Todd Cullum 2020-07-17 18:36:01 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 28 Anten Skrabec 2020-07-29 23:03:37 UTC
Changing OpenStack Platform 13 to affected/wontfix as we ship the vulnerable code but it is not used by default.

Comment 29 errata-xmlrpc 2020-08-04 11:13:57 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7
  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2020:3303 https://access.redhat.com/errata/RHSA-2020:3303

Comment 30 errata-xmlrpc 2020-08-04 11:17:39 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2020:3305 https://access.redhat.com/errata/RHSA-2020:3305

Comment 31 errata-xmlrpc 2020-08-04 11:35:32 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.3 on RHEL 7
  Red Hat JBoss Web Server 5.3 on RHEL 6
  Red Hat JBoss Web Server 5.3 on RHEL 8

Via RHSA-2020:3306 https://access.redhat.com/errata/RHSA-2020:3306

Comment 32 errata-xmlrpc 2020-08-04 11:39:57 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2020:3308 https://access.redhat.com/errata/RHSA-2020:3308

Comment 33 Product Security DevOps Team 2020-08-04 13:27:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13935

Comment 34 Anten Skrabec 2020-08-04 14:14:33 UTC
Statement:

Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8's Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there are no entry point for WebSockets, and thus it is not possible to trigger the flaw in a supported setup. A future update may fix the code. Similarly, Red Hat OpenStack Platform 13 does not ship with websocket functionality enabled by default.

Comment 35 Doran Moppert 2020-08-10 01:33:52 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1867432]

Comment 36 errata-xmlrpc 2020-08-10 11:21:41 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 async

Via RHSA-2020:3382 https://access.redhat.com/errata/RHSA-2020:3382

Comment 37 errata-xmlrpc 2020-08-10 11:34:14 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5
  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2020:3383 https://access.redhat.com/errata/RHSA-2020:3383

Comment 41 errata-xmlrpc 2020-09-23 16:27:29 UTC
This issue has been addressed in the following products:

  Red Hat Runtimes Spring Boot 2.2.6

Via RHSA-2020:3806 https://access.redhat.com/errata/RHSA-2020:3806

Comment 42 errata-xmlrpc 2020-09-29 20:31:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:4004 https://access.redhat.com/errata/RHSA-2020:4004

Comment 44 errata-xmlrpc 2021-08-11 18:25:49 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.9

Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140

Comment 47 errata-xmlrpc 2022-06-30 18:34:37 UTC
This issue has been addressed in the following products:

  EAP 6.4.24 release

Via RHSA-2022:5458 https://access.redhat.com/errata/RHSA-2022:5458

Comment 48 errata-xmlrpc 2022-06-30 18:56:02 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2022:5459 https://access.redhat.com/errata/RHSA-2022:5459

Comment 49 errata-xmlrpc 2022-06-30 19:11:03 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2022:5460 https://access.redhat.com/errata/RHSA-2022:5460


Note You need to log in before you can comment on or make changes to this bug.