0017660: CVE-2020-13935 - CentOS Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0017660	CentOS-7	tomcat	public	2020-08-10 15:08	2020-08-10 17:41

Reporter	soto330
Priority	high	Severity	major	Reproducibility	N/A
Status	new	Resolution	open
Product Version
Target Version		Fixed in Version

Summary	0017660: CVE-2020-13935
Description	CVE-2020-13935 was listed in RHEL and was found to affect tomcat in RHEL7. https://access.redhat.com/security/cve/CVE-2020-13935 Not aware of the upstream of the tomcat package in CentOS but trying to get a resolution to the issue
Additional Information	CVE-2020-13935 Apache Tomcat WebSocket Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0-M6 Apache Tomcat 9.0.0.M1 to 9.0.36 Apache Tomcat 8.5.0 to 8.5.56 Apache Tomcat 7.0.27 to 7.0.104 Description: The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. Mitigation: - Upgrade to Apache Tomcat 10.0.0-M7 or later - Upgrade to Apache Tomcat 9.0.37 or later - Upgrade to Apache Tomcat 8.5.57 or later Credit: This issue was reported publicly via the Apache Tomcat Users mailing list without reference to the potential for DoS. The DoS risks were identified by the Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-10.html [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html http://mail-archives.us.apache.org/mod_mbox/www-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E
Tags	No tags attached.

abrt_hash
URL	https://access.redhat.com/security/cve/CVE-2020-13935

Date Modified	Username	Field	Change
2020-08-10 15:08	soto330	New Issue
2020-08-10 15:31	tigalch	Note Added: 0037514
2020-08-10 17:41	soto330	Note Added: 0037516