View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0017660 | CentOS-7 | tomcat | public | 2020-08-10 15:08 | 2020-08-10 17:41 |
Reporter | soto330 | Assigned To | |||
Priority | high | Severity | major | Reproducibility | N/A |
Status | new | Resolution | open | ||
Summary | 0017660: CVE-2020-13935 | ||||
Description | CVE-2020-13935 was listed in RHEL and was found to affect tomcat in RHEL7. https://access.redhat.com/security/cve/CVE-2020-13935 Not aware of the upstream of the tomcat package in CentOS but trying to get a resolution to the issue | ||||
Additional Information | CVE-2020-13935 Apache Tomcat WebSocket Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0-M6 Apache Tomcat 9.0.0.M1 to 9.0.36 Apache Tomcat 8.5.0 to 8.5.56 Apache Tomcat 7.0.27 to 7.0.104 Description: The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. Mitigation: - Upgrade to Apache Tomcat 10.0.0-M7 or later - Upgrade to Apache Tomcat 9.0.37 or later - Upgrade to Apache Tomcat 8.5.57 or later Credit: This issue was reported publicly via the Apache Tomcat Users mailing list without reference to the potential for DoS. The DoS risks were identified by the Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-10.html [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html http://mail-archives.us.apache.org/mod_mbox/www-announce/202007.mbox/%3C39e4200c-6f4e-b85d-fe4b-a9c2bd5fdc3d%40apache.org%3E | ||||
Tags | No tags attached. | ||||
abrt_hash | |||||
URL | https://access.redhat.com/security/cve/CVE-2020-13935 | ||||