-
Bug
-
Resolution: Done
-
Medium
-
7.5.2
-
22
-
Severity 2 - Major
-
51
-
Issue Summary
- The current version of Tomcat 9.0.33 bundled with Confluence (at least up to Confluence version 7.6) is vulnerable to HTTP/2 Denial of Service CVE-2020-11996
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_9.0.36
http://mail-archives.us.apache.org/mod_mbox/www-announce/202006.mbox/%3Cfd56bc1d-1219-605b-99c7-946bf7bd8ad4%40apache.org%3E
This vulnerability uses "(a) specially crafted sequence of HTTP/2 requests" to "trigger high CPU usage for several seconds." A large number of these HTTP/2 requests could be used to make an application unresponsive.
Versions Affected:
- Apache Tomcat 10.0.0-M1 to 10.0.0-M5
- Apache Tomcat 9.0.0.M1 to 9.0.35
- Apache Tomcat 8.5.0 to 8.5.55
Versions affected:
- Apache Tomcat 10.0.0-M6 or later
- Apache Tomcat 9.0.36 or later
- Apache Tomcat 8.5.56 or later
Notes
- By default Confluence is configured to use an HTTP/1.1 connector and would not be vulnerable to this CVE
Mitigation
- No workaround is needed to mitigate this vulnerability.
- If your organization determines that you cannot use a version of Tomcat that is affected by CVE-2020-11996 you can manually update the version of Tomcat used by Confluence to an unaffected version (9.0.37) as described in How to Upgrade The Tomcat Container for Confluence
- Note: Manually upgrading the version of Tomcat used by Confluence is not supported. If any issues arise from making this change, Atlassian Support would first recommend going back to a supported version of Tomcat.
- is incorporated by
-
-
- Closed
-
- relates to
-
CONFSERVER-59863 Upgrade Tomcat to the fixed version of CVE-2020-9484
- Closed
-
PSHELP-1511 Failed to load
- resolves
-
- Closed
- mentioned in
-
Page Failed to load
-
Page Loading...
-
-
-
-
-
-
-
-
-
-
-
[CONFSERVER-60004] Upgrade Tomcat to version 9.0.37
A fix for this issue is available to Server and Data Center customers in Confluence 7.8.0
Upgrade now or check out the Release Notes to see what other issues are resolved.
Agree with Daniel above. Maybe I missed it but I don't see where it's been included if I just look at the release notes. https://confluence.atlassian.com/doc/confluence-7-7-release-notes-1004960930.html#Confluence7.7ReleaseNotes-issues
Also do not see it on here: https://confluence.atlassian.com/conf74/bundled-tomcat-and-java-versions-1018770507.html
@Tam Tran: thx for this! didn't find it in here: https://confluence.atlassian.com/doc/confluence-release-notes-327.html before - not it's there 
A fix for this issue is available to Server and Data Center customers in Confluence 7.7.4
Upgrade now or check out the Release Notes to see what other issues are resolved.
HI all
when will be 7.7.4 / 7.8.0 (server in my case) be available?
Since it has the 'security' label, this ticket has been imported into Vulnerability Funnel as: https://asecurityteam.atlassian.net/browse/VULN-196457
The issue will be triaged by the Product Security team and if it is determined to be a security vulnerability, it will need to be completed prior to the assigned security SLO due date.
For more information on how Atlassian handles security vulnerabilities, see the Security Vulnerabilities - User Guide
To avoid duplicate issues, please do not remove the 'security-imported' label from this issue.
CSP-279969 - hoping this to be soon closed (as for JIRA) - thx for pushing it accordingly.
CVE-2020-13935 would be mitigated with Apache Tomcat 9.0.37 also. Any ETA on a fix for this CVE?
Description:
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
0efcfe4f0089 you are correct that running Confluence using a version of Tomcat that it did not ship with would be unsupported. We're providing the steps to manually upgrade Tomcat as an option for any organization that cannot run software that has a known vulnerability, regardless of whether or not that vulnerability can is exploitable.
As shipped, Confluence does not use HTTP/2 connections and does not require taking any mitigating measures. It is up to each customer to decide if they must use an unsupported version of Tomcat until we release a new version of Confluence to resolve this issue.
I've updated the description to better reflect this.
Although this is not mentioned in the release notes Tomcat 9.0.37 is bundled with confluence 7.4.4 as well.