Issue Summary

• The current version of Tomcat 9.0.33 bundled with Confluence (at least up to Confluence version 7.6) is vulnerable to HTTP/2 Denial of Service CVE-2020-11996
  https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_9.0.36
  http://mail-archives.us.apache.org/mod_mbox/www-announce/202006.mbox/%3Cfd56bc1d-1219-605b-99c7-946bf7bd8ad4%40apache.org%3E

This vulnerability uses "(a) specially crafted sequence of HTTP/2 requests" to "trigger high CPU usage for several seconds." A large number of these HTTP/2 requests could be used to make an application unresponsive.

Versions Affected:

• Apache Tomcat 10.0.0-M1 to 10.0.0-M5
• Apache Tomcat 9.0.0.M1 to 9.0.35
• Apache Tomcat 8.5.0 to 8.5.55

Versions affected:

• Apache Tomcat 10.0.0-M6 or later
• Apache Tomcat 9.0.36 or later
• Apache Tomcat 8.5.56 or later

Notes

• By default Confluence is configured to use an HTTP/1.1 connector and would not be vulnerable to this CVE

Mitigation

• No workaround is needed to mitigate this vulnerability.
• If your organization determines that you cannot use a version of Tomcat that is affected by CVE-2020-11996 you can manually update the version of Tomcat used by Confluence to an unaffected version (9.0.37) as described in How to Upgrade The Tomcat Container for Confluence
  • Note: Manually upgrading the version of Tomcat used by Confluence is not supported. If any issues arise from making this change, Atlassian Support would first recommend going back to a supported version of Tomcat.