{ "threat_severity" : "Moderate", "public_date" : "2020-06-25T00:00:00Z", "bugzilla" : { "description" : "tomcat: specially crafted sequence of HTTP/2 requests can lead to DoS", "id" : "1851420", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1851420" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-400", "details" : [ "A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive." ], "statement" : "Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of RHOSP14 and is only receiving security fixes for Important and Critical flaws.\nApache Tomcat versions as shipped with Red Hat Enterprise Linux 6 and 7 are not affected by this flaw as it doesn't support HTTP/2 protocol.\nRed Hat Enterprise Linux 8's Identity Management is using an affected version of Tomcat bundled within PKI servlet engine, however HTTP/2 protocol is not supported by this component.\npki-servlet-engine has been obsoleted by Tomcat in Red Hat Enterprise Linux 8.9 and later. Therefore no additional fixes would be made available for the servlet engine.", "affected_release" : [ { "product_name" : "Red Hat Fuse 7.9", "release_date" : "2021-08-11T00:00:00Z", "advisory" : "RHSA-2021:3140", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "tomcat", "impact" : "low" }, { "product_name" : "Red Hat JBoss Web Server 5", "release_date" : "2020-11-23T00:00:00Z", "advisory" : "RHSA-2020:5173", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.4", "package" : "tomcat" }, { "product_name" : "Red Hat JBoss Web Server 5.4 on RHEL 6", "release_date" : "2020-11-23T00:00:00Z", "advisory" : "RHSA-2020:5170", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.4::el6", "package" : "jws5-jboss-logging-0:3.4.1-1.Final_redhat_00001.1.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.4 on RHEL 6", "release_date" : "2020-11-23T00:00:00Z", "advisory" : "RHSA-2020:5170", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.4::el6", "package" : "jws5-mod_cluster-0:1.4.2-7.Final_redhat_00002.2.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.4 on RHEL 6", "release_date" : "2020-11-23T00:00:00Z", "advisory" : "RHSA-2020:5170", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.4::el6", "package" : "jws5-tomcat-0:9.0.36-6.redhat_5.2.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.4 on RHEL 6", "release_date" : "2020-11-23T00:00:00Z", "advisory" : "RHSA-2020:5170", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.4::el6", "package" : "jws5-tomcat-native-0:1.2.25-2.redhat_2.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.4 on RHEL 7", "release_date" : "2020-11-23T00:00:00Z", "advisory" : "RHSA-2020:5170", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.4::el7", "package" : "jws5-jboss-logging-0:3.4.1-1.Final_redhat_00001.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.4 on RHEL 7", "release_date" : "2020-11-23T00:00:00Z", "advisory" : "RHSA-2020:5170", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.4::el7", "package" : "jws5-mod_cluster-0:1.4.2-7.Final_redhat_00002.2.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.4 on RHEL 7", "release_date" : "2020-11-23T00:00:00Z", "advisory" : "RHSA-2020:5170", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.4::el7", "package" : "jws5-tomcat-0:9.0.36-6.redhat_5.2.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.4 on RHEL 7", "release_date" : "2020-11-23T00:00:00Z", "advisory" : "RHSA-2020:5170", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.4::el7", "package" : "jws5-tomcat-native-0:1.2.25-2.redhat_2.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.4 on RHEL 8", "release_date" : "2020-11-23T00:00:00Z", "advisory" : "RHSA-2020:5170", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.4::el8", "package" : "jws5-jboss-logging-0:3.4.1-1.Final_redhat_00001.1.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.4 on RHEL 8", "release_date" : "2020-11-23T00:00:00Z", "advisory" : "RHSA-2020:5170", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.4::el8", "package" : "jws5-mod_cluster-0:1.4.2-7.Final_redhat_00002.2.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.4 on RHEL 8", "release_date" : "2020-11-23T00:00:00Z", "advisory" : "RHSA-2020:5170", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.4::el8", "package" : "jws5-tomcat-0:9.0.36-6.redhat_5.2.el8jws" }, { "product_name" : "Red Hat JBoss Web Server 5.4 on RHEL 8", "release_date" : "2020-11-23T00:00:00Z", "advisory" : "RHSA-2020:5170", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.4::el8", "package" : "jws5-tomcat-native-0:1.2.25-2.redhat_2.el8jws" }, { "product_name" : "Red Hat support for Spring Boot 2.3.6", "release_date" : "2021-02-02T00:00:00Z", "advisory" : "RHSA-2021:0292", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0", "package" : "tomcat" }, { "product_name" : "Text-Only RHOAR", "release_date" : "2021-01-07T00:00:00Z", "advisory" : "RHSA-2020:5388", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" } ], "package_state" : [ { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "tomcat6", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "pki-deps:10.6/pki-servlet-engine", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat JBoss Data Grid 6", "fix_state" : "Out of support scope", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_grid:6" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Out of support scope", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Out of support scope", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Web Server 3", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "opendaylight", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-11996\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-11996\nhttp://mail-archives.apache.org/mod_mbox/tomcat-announce/202006.mbox/%3Cfd56bc1d-1219-605b-99c7-946bf7bd8ad4%40apache.org%3E\nhttp://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.0.0-M6\nhttp://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.56\nhttp://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.36" ], "name" : "CVE-2020-11996", "csaw" : false }