Conversation

Notices

1. GeniusMusing (geniusmusing@nu.federati.net)'s status on Tuesday, 14-Jul-2020 12:10:02 EDT GeniusMusing
   SECURITY CVE-2020-13935 Apache Tomcat WebSocket Denial of Service
   https://nu.federati.net/url/272819
   
   >CVE-2020-13935 Apache Tomcat WebSocket Denial of Service
   >
   >Severity: Important
   >
   >Vendor: The Apache Software Foundation
   >
   >Versions Affected:
   >Apache Tomcat 10.0.0-M1 to 10.0.0-M6
   >Apache Tomcat 9.0.0.M1 to 9.0.36
   >Apache Tomcat 8.5.0 to 8.5.56
   >Apache Tomcat 7.0.27 to 7.0.104
   >
   >Description:
   >The payload length in a WebSocket frame was not correctly validated.
   >Invalid payload lengths could trigger an infinite loop. Multiple
   >requests with invalid payload lengths could lead to a denial of service.
   >
   >Mitigation:
   >- Upgrade to Apache Tomcat 10.0.0-M7 or later
   >- Upgrade to Apache Tomcat 9.0.37 or later
   >- Upgrade to Apache Tomcat 8.5.57 or later
   >
   >Credit:
   >This issue was reported publicly via the Apache Tomcat Users mailing
   >list without reference to the potential for DoS. The DoS risks were
   >identified by the Apache Tomcat Security Team.
   >
   >References:
   >[1] http://tomcat.apache.org/security-10.html
   >[2] http://tomcat.apache.org/security-9.html
   >[3] http://tomcat.apache.org/security-8.html
   
   SECURITY CVE-2020-13934 Apache Tomcat HTTP/2 Denial of Service
   https://nu.federati.net/url/272820
   
   >CVE-2020-13934 Apache Tomcat HTTP/2 Denial of Service
   >
   >Severity: Moderate
   >
   >Vendor: The Apache Software Foundation
   >
   >Versions Affected:
   >Apache Tomcat 10.0.0-M1 to 10.0.0-M6
   >Apache Tomcat 9.0.0.M5 to 9.0.36
   >Apache Tomcat 8.5.1 to 8.5.56
   >
   >Description:
   >An h2c direct connection did not release the HTTP/1.1 processor after
   >the upgrade to HTTP/2. If a sufficient number of such requests were
   >made, an OutOfMemoryException could occur leading to a denial of service.
   >
   >Mitigation:
   >- Upgrade to Apache Tomcat 10.0.0-M7 or later
   >- Upgrade to Apache Tomcat 9.0.37 or later
   >- Upgrade to Apache Tomcat 8.5.57 or later
   >
   >Credit:
   >This issue was reported publicly via the Apache Tomcat Users mailing
   >list without reference to the potential for DoS. The DoS risks were
   >identified by the Apache Tomcat Security Team.
   1. lnxw48a1 (lnxw48a1@nu.federati.net)'s status on Tuesday, 14-Jul-2020 13:59:25 EDT lnxw48a1

      in reply to
      @geniusmusing Sounds like something that @musicman should be aware of. It is possible, of course, that his $EMPLOYER’s internal communications have already relayed this, but just in case.
      1. musicman (musicman@nu.federati.net)'s status on Tuesday, 14-Jul-2020 20:23:45 EDT musicman

         in reply to
         I missed the standup today, but it might have been mentioned there. We don't do any hosting, so we just wait for people to ask...usually. It's possible we would reach out to customers we know would have this.
         
         I only vaguely watch the queue at this point.
         
         I don't see a lot of Tomcat tickets, but there is one from yesterday. It doesn't *seem* related, but I can't say for sure without digging in, which is probably not going to happen.
         
         I should check to see what version of Tomcat #Alfresco is using, but Alfresco isn't public facing, so I'm not that worried about it. And right now, there's not really any data to worry about losing.