From announce-return-5914-archive-asf-public=cust-asf.ponee.io@apache.org  Thu Jun 25 21:57:29 2020
Return-Path: <announce-return-5914-archive-asf-public=cust-asf.ponee.io@apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [207.244.88.153])
	by mx-eu-01.ponee.io (Postfix) with SMTP id C17D6180181
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 25 Jun 2020 23:57:28 +0200 (CEST)
Received: (qmail 44147 invoked by uid 500); 25 Jun 2020 21:57:23 -0000
Mailing-List: contact announce-help@apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:announce-help@apache.org>
List-Unsubscribe: <mailto:announce-unsubscribe@apache.org>
List-Post: <mailto:announce@apache.org>
List-Id: <announce.apache.org>
Delivered-To: mailing list announce@apache.org
Delivered-To: moderator for announce@apache.org
Received: (qmail 32444 invoked by uid 99); 25 Jun 2020 21:56:00 -0000
From: Mark Thomas <markt@apache.org>
Subject: [SECURITY] CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service
To: Tomcat Users List <users@tomcat.apache.org>
Cc: Tomcat Developers List <dev@tomcat.apache.org>,
 "announce@tomcat.apache.org" <announce@tomcat.apache.org>,
 announce@apache.org
Message-ID: <fd56bc1d-1219-605b-99c7-946bf7bd8ad4@apache.org>
Date: Thu, 25 Jun 2020 22:56:03 +0100
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0)
 Gecko/20100101 Thunderbird/68.8.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: 7bit

CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0-M5
Apache Tomcat 9.0.0.M1 to 9.0.35
Apache Tomcat 8.5.0 to 8.5.55

Description:
A specially crafted sequence of HTTP/2 requests could trigger high CPU
usage for several seconds. If a sufficient number of such requests were
made on concurrent HTTP/2 connections, the server could become unresponsive.

Mitigation:
- Upgrade to Apache Tomcat 10.0.0-M6 or later
- Upgrade to Apache Tomcat 9.0.36 or later
- Upgrade to Apache Tomcat 8.5.56 or later

Credit:
This issue was reported publicly via the Apache Tomcat Users mailing
list without reference to the potential for DoS. The DoS risks were
identified by the Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-10.html
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html