The Apache Software Foundation has patched a Tomcat HTTP/2 DoS vulnerability (CVE-2020-11996). A cyber attacker could exploit this vulnerability to cause a denial-of-service (DoS) condition.
The Apache Tomcat Security Team found the DoS risks after the original issue was reported publicly via the Apache Tomcat Users mailing list.
“A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive,” Apache stated in the security advisory.
Apache recommends upgrading Apache Tomcat to the following versions:
- 10.0.0-M6 or later
- 9.0.36 or later
- 8.5.56 or later.
Apache also published an email thread update on June 28 with an additional reference to CVE-2020-1938, an AJP Request Injection and potential remote code execution vulnerability.
Also known as “Ghostcat,” the latter issue could allow a bad actor to read or include any files in Tomcat webapp directories.