Apache Tomcat up to 8.5.55/9.0.35/10.0.0-M5 HTTP/2 Request resource consumption

Summaryinfo

A vulnerability described as problematic has been identified in Apache Tomcat up to 8.5.55/9.0.35/10.0.0-M5. Impacted is an unknown function of the component HTTP2 Handler. Such manipulation as part of Request leads to resource consumption. This vulnerability is documented as CVE-2020-11996. The attack can be executed remotely. There is not any exploit available.

Detailsinfo

A vulnerability was found in Apache Tomcat up to 8.5.55/9.0.35/10.0.0-M5 (Application Server Software) and classified as problematic. Affected by this issue is an unknown code block of the component HTTP2 Handler. The manipulation as part of a Request leads to a resource consumption vulnerability. Using CWE to declare the problem leads to CWE-400. The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources. Impacted is availability. CVE summarizes:

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

The weakness was released 06/26/2020 (Website). The advisory is shared for download at lists.apache.org. This vulnerability is handled as CVE-2020-11996 since 04/21/2020. The attack may be launched remotely. No form of authentication is required for exploitation. There are neither technical details nor an exploit publicly available. The current price for an exploit might be approx. USD $0-$5k (estimation calculated on 06/27/2020). The MITRE ATT&CK project declares the attack technique as T1499.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Application Server Software

Vendor

• Apache

Name

• Tomcat

Version

• 8.5.0
• 8.5.1
• 8.5.2
• 8.5.3
• 8.5.4
• 8.5.5
• 8.5.6
• 8.5.7
• 8.5.8
• 8.5.9
• 8.5.10
• 8.5.11
• 8.5.12
• 8.5.13
• 8.5.14
• 8.5.15
• 8.5.16
• 8.5.17
• 8.5.18
• 8.5.19
• 8.5.20
• 8.5.21
• 8.5.22
• 8.5.23
• 8.5.24
• 8.5.25
• 8.5.26
• 8.5.27
• 8.5.28
• 8.5.29
• 8.5.30
• 8.5.31
• 8.5.32
• 8.5.33
• 8.5.34
• 8.5.35
• 8.5.36
• 8.5.37
• 8.5.38
• 8.5.39
• 8.5.40
• 8.5.41
• 8.5.42
• 8.5.43
• 8.5.44
• 8.5.45
• 8.5.46
• 8.5.47
• 8.5.48
• 8.5.49
• 8.5.50
• 8.5.51
• 8.5.52
• 8.5.53
• 8.5.54
• 8.5.55
• 9.0.0
• 9.0.1
• 9.0.2
• 9.0.3
• 9.0.4
• 9.0.5
• 9.0.6
• 9.0.7
• 9.0.8
• 9.0.9
• 9.0.10
• 9.0.11
• 9.0.12
• 9.0.13
• 9.0.14
• 9.0.15
• 9.0.16
• 9.0.17
• 9.0.18
• 9.0.19
• 9.0.20
• 9.0.21
• 9.0.22
• 9.0.23
• 9.0.24
• 9.0.25
• 9.0.26
• 9.0.27
• 9.0.28
• 9.0.29
• 9.0.30
• 9.0.31
• 9.0.32
• 9.0.33
• 9.0.34
• 9.0.35
• 10.0.0-M5

License

• open-source

Website

• Vendor: https://www.apache.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion