1887648 – (CVE-2020-13943) CVE-2020-13943 tomcat: Apache Tomcat HTTP/2 Request mix-up

Bug 1887648 (CVE-2020-13943) - CVE-2020-13943 tomcat: Apache Tomcat HTTP/2 Request mix-up

Summary: CVE-2020-13943 tomcat: Apache Tomcat HTTP/2 Request mix-up

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-13943
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1889329
Blocks:	1887641
TreeView+	depends on / blocked

Reported:	2020-10-13 05:02 UTC by Ted Jongseok Won
Modified:	2023-12-15 19:45 UTC (History)
CC List:	86 users (show)
Fixed In Version:	tomcat 10.0.0-M8, tomcat 9.0.38, tomcat 8.5.58
Doc Type:	---
Doc Text:	A flaw was found in Apache Tomcat. If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it is possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed:	2021-02-11 16:09:50 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2021:0494	None	None	None	2021-02-11 13:50:23 UTC
Red Hat Product Errata	RHSA-2021:0495	None	None	None	2021-02-11 13:51:47 UTC
Red Hat Product Errata	RHSA-2021:4012	None	None	None	2021-10-28 07:52:31 UTC
Red Hat Product Errata	RHSA-2021:5134	None	None	None	2021-12-14 21:32:58 UTC

Description Ted Jongseok Won 2020-10-13 05:02:15 UTC

If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.

Upstream commits:
Tomcat 10.0: https://github.com/apache/tomcat/commit/1bbc650cbc3f08d85a1ec6d803c47ae53a84f3bb
Tomcat 9.0: https://github.com/apache/tomcat/commit/55911430df13f8c9998fbdee1f9716994d2db59b
Tomcat 8.5: https://github.com/apache/tomcat/commit/9d7def063b47407a09a2f9202beed99f4dcb292a

Reference:
http://mail-archives.apache.org/mod_mbox/tomcat-announce/202010.mbox/%3C2b767c6e-dcb9-5816-bd69-a3bc0771fef3%40apache.org%3E

Comment 1 Ted Jongseok Won 2020-10-13 05:02:26 UTC

External References:

http://mail-archives.apache.org/mod_mbox/tomcat-announce/202010.mbox/%3C2b767c6e-dcb9-5816-bd69-a3bc0771fef3%40apache.org%3E
http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M8
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.38
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.58

Comment 3 Ted Jongseok Won 2020-10-13 05:44:28 UTC

This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss Enterprise Application Platform 6
 * Red Hat JBoss Data Grid 6
 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Data Virtualization 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 11 errata-xmlrpc 2021-02-11 13:50:18 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.4 on RHEL 7
  Red Hat JBoss Web Server 5.4 on RHEL 8

Via RHSA-2021:0494 https://access.redhat.com/errata/RHSA-2021:0494

Comment 12 errata-xmlrpc 2021-02-11 13:51:43 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2021:0495 https://access.redhat.com/errata/RHSA-2021:0495

Comment 13 Product Security DevOps Team 2021-02-11 16:09:50 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-13943

Comment 14 errata-xmlrpc 2021-10-28 07:52:27 UTC

This issue has been addressed in the following products:

  Red Hat Support for Spring Boot 2.4.9

Via RHSA-2021:4012 https://access.redhat.com/errata/RHSA-2021:4012

Comment 15 errata-xmlrpc 2021-12-14 21:32:53 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 7.10

Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134

Note You need to log in before you can comment on or make changes to this bug.

aboyko
aileenc
akoufoud
alazarot
alee
almorale
anstephe
asoldano
atangrin
avibelli
bbaranow
bgeorges
bmaxwell
brian.stansberry
cdewolf
chazlett
cmoulliard
coolsvap
csutherl
darran.lofthouse
dbecker
dkreling
dosoudil
drieden
eleandro
etirelli
ggaughan
gmalinko
gzaronik
hhorak
huwang
ibek
ikanello
ivan.afonichev
iweiss
janstey
java-sig-commits
jawilson
jbalunas
jclere
jjoyce
jochrist
jolee
jorton
jpallich
jperkins
jschatte
jschluet
jstastny
jwon
krathod
krzysztof.daniel
kverlaen
kwills
lgao
lhh
lpeer
lthon
mbabacek
mburns
mizdebsk
mkolesni
mnovotny
msochure
msvehla
mszynkie
myarboro
nwallace
pgallagh
pjindal
pmackay
rguimara
rhcs-maint
rrajasek
rruss
rstancel
rsvoboda
rsynek
sclewis
scohen
sdaley
slinaber
smaestri
tom.jenkinson
vondruch
weli