A flaw was found in the Apache Tomcat, where an h2c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. It affects the version of Apache Tomcat 10.0.0-M1 to 10.0.0-M6, Apache Tomcat 9.0.0.M5 to 9.0.36, Apache Tomcat 8.5.1 to 8.5.56. Upstream commits: Tomcat 10.0: https://github.com/apache/tomcat/commit/c9167ae30f3b03b112f3d81772e3450b7d0e6a25 Tomcat 9.0: https://github.com/apache/tomcat/commit/172977f04a5215128f1e278a688983dcd230f399 Tomcat 8.5: https://github.com/apache/tomcat/commit/923d834500802a61779318911d7898bd85fc950e Reference: http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3Cad62f54e-8fd7-e326-25f1-3bdf1ffa3818%40apache.org%3E
External References: http://mail-archives.apache.org/mod_mbox/tomcat-announce/202007.mbox/%3Cad62f54e-8fd7-e326-25f1-3bdf1ffa3818%40apache.org%3E http://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M7 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.105
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Data Virtualization 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This vulnerability is out of security support scope for the following products: * Red Hat Enterprise Application Platform 6 * Red Hat Data Grid 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Red Hat Jboss Fuse 6 ships some of the vulnerable artifacts as bundled artifacts in ops4j pax web, however there is no use of these artifacts in Fuse itself, the artifacts are also prevented from loading with a deny list in karaf, for these reasons we believe the impact upon Fuse 6.3 is low. This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.3 on RHEL 7 Red Hat JBoss Web Server 5.3 on RHEL 6 Red Hat JBoss Web Server 5.3 on RHEL 8 Via RHSA-2020:3306 https://access.redhat.com/errata/RHSA-2020:3306
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2020:3308 https://access.redhat.com/errata/RHSA-2020:3308
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13934
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1867433]
Statement: Red Hat Certificate System 10.0 and Red Hat Enterprise Linux 8's Identity Management, are using a vulnerable version of Tomcat that is bundled into the pki-servlet-engine component. However, HTTP/2 is not enabled in such a configuration, and it is not possible to trigger the flaw in a supported setup. A future update may fix the code.
This issue has been addressed in the following products: Red Hat Runtimes Spring Boot 2.2.6 Via RHSA-2020:3806 https://access.redhat.com/errata/RHSA-2020:3806
This issue has been addressed in the following products: Red Hat Fuse 7.9 Via RHSA-2021:3140 https://access.redhat.com/errata/RHSA-2021:3140