Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-60004

Upgrade Tomcat to version 9.0.37

XMLWordPrintable

      Issue Summary

      This vulnerability uses "(a) specially crafted sequence of HTTP/2 requests" to "trigger high CPU usage for several seconds." A large number of these HTTP/2 requests could be used to make an application unresponsive.

      Versions Affected:

      • Apache Tomcat 10.0.0-M1 to 10.0.0-M5
      • Apache Tomcat 9.0.0.M1 to 9.0.35
      • Apache Tomcat 8.5.0 to 8.5.55

      Versions affected:

      • Apache Tomcat 10.0.0-M6 or later
      • Apache Tomcat 9.0.36 or later
      • Apache Tomcat 8.5.56 or later

      Notes

      • By default Confluence is configured to use an HTTP/1.1 connector and would not be vulnerable to this CVE

      Mitigation

      • No workaround is needed to mitigate this vulnerability.
      • If your organization determines that you cannot use a version of Tomcat that is affected by CVE-2020-11996 you can manually update the version of Tomcat used by Confluence to an unaffected version (9.0.37) as described in How to Upgrade The Tomcat Container for Confluence
        • Note: Manually upgrading the version of Tomcat used by Confluence is not supported. If any issues arise from making this change, Atlassian Support would first recommend going back to a supported version of Tomcat.

            [CONFSERVER-60004] Upgrade Tomcat to version 9.0.37

            Lipkent Ng made changes -
            Remote Link Original: This issue links to "PSHELP-1511 (Atlassian Security Jira)" [ 539193 ] New: This issue links to "PSHELP-1511 (ASEC/J)" [ 539193 ]
            Xinyi Xu (Inactive) made changes -
            Remote Link New: This issue links to "R7.4 P1. Baseline › Main Plugins - Samurai › issue-74-CONFSERVER-60004-upgrade-tomcat-9.0.37 (server-syd-bamboo)" [ 631412 ]
            Xinyi Xu (Inactive) made changes -
            Remote Link New: This issue links to "R7.4 P1. Baseline › Main Plugins - Little Big Platform › issue-74-CONFSERVER-60004-upgrade-tomcat-9.0.37 (server-syd-bamboo)" [ 631163 ]
            Xinyi Xu (Inactive) made changes -
            Remote Link New: This issue links to "R7.4 P1. Baseline › Main Plugins - Scale › issue-74-CONFSERVER-60004-upgrade-tomcat-9.0.37 (server-syd-bamboo)" [ 631149 ]
            David Black made changes -
            Remote Link New: This issue links to "PSHELP-1511 (Atlassian Security Jira)" [ 539193 ]
            Mark Lang made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 526638 ]
            Adilson Carvalho (Inactive) made changes -
            Remote Link Original: This issue links to "Page (Extranet)" [ 518414 ]
            Adilson Carvalho (Inactive) made changes -
            Remote Link New: This issue links to "Page (Extranet)" [ 525525 ]
            Mark Lang made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 525275 ]
            Mark Lang made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 524160 ]

              xxu@atlassian.com Xinyi Xu (Inactive)
              abrancalhao@atlassian.com Armando Neto
              Affected customers:
              6 This affects my team
              Watchers:
              21 Start watching this issue

                Created:
                Updated:
                Resolved: