CVE-2020-13934

Description

An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.

CVSS Metrics

• v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
• v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 23.38%• Percentile: 96%

Techniques & Countermeasures

• CWE-401•Missing Release of Memory after Effective Lifetime

  The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

• CWE-476•NULL Pointer Dereference

  The product dereferences a pointer that it expects to be valid but is NULL.

Affected Systems

• Unknown•Tomcat

  ≥ 8.5.1, ≤ 8.5.56 | ≥ 9.0.1, ≤ 9.0.36 | 9.0.0:milestone10 | 9.0.0:milestone11 | 9.0.0:milestone12 | 9.0.0:milestone13 | 9.0.0:milestone14 | 9.0.0:milestone15 | 9.0.0:milestone16 | 9.0.0:milestone17 | 9.0.0:milestone18 | 9.0.0:milestone19 | 9.0.0:milestone20 | 9.0.0:milestone21 | 9.0.0:milestone22 | 9.0.0:milestone23 | 9.0.0:milestone24 | 9.0.0:milestone25 | 9.0.0:milestone26 | 9.0.0:milestone27 | 9.0.0:milestone5 | 9.0.0:milestone6 | 9.0.0:milestone7 | 9.0.0:milestone8 | 9.0.0:milestone9 | 10.0.0:milestone1 | 10.0.0:milestone2 | 10.0.0:milestone3 | 10.0.0:milestone4 | 10.0.0:milestone5 | 10.0.0:milestone6

• canonical•ubuntu_linux

  20.04

• debian•debian_linux

  9.0 | 10.0

• org.apache.tomcat•tomcat

  ≥ 10.0.0-M1, < 10.0.0-M6 | ≥ 9.0.0.M5, < 9.0.36 | ≥ 8.5.1, < 8.5.56

• org.apache.tomcat•tomcat-coyote

  ≥ 10.0.0-M1, < 10.0.0-M6 | ≥ 9.0.0.M5, < 9.0.36 | ≥ 8.5.1, < 8.5.56

• netapp•oncommand_system_manager

  ≥ 3.0.0, ≤ 3.1.3

• opensuse•leap

  15.1 | 15.2

• oracle•agile_engineering_data_management

  6.2.1.0

• oracle•agile_plm

  9.3.3 | 9.3.5 | 9.3.6

• oracle•communications_instant_messaging_server

  10.0.1.5.0

• oracle•fmw_platform

  12.2.1.3.0 | 12.2.1.4.0

• oracle•instantis_enterprisetrack

  17.1 | 17.2 | 17.3

• oracle•managed_file_transfer

  12.2.1.3.0 | 12.2.1.4.0

• oracle•mysql_enterprise_monitor

  ≤ 8.0.21

• oracle•siebel_ui_framework

  ≤ 20.12

• oracle•workload_manager

  12.2.0.1 | 18c | 19c

References (18)

• https://lists.apache.org/thread.html/r61f411cf82488d6ec213063fc15feeeb88e31b0ca9c29652ee4f962e%40%3Cannounce.tomcat.apache.org%3E
• https://www.debian.org/security/2020/dsa-4727
• https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html
• http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html
• http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html
• https://lists.apache.org/thread.html/ra072b1f786e7d139e86f1d1145572e0ff71cef38a96d9c6f5362aac8%40%3Cdev.tomcat.apache.org%3E
• https://www.oracle.com/security-alerts/cpuoct2020.html
• https://security.netapp.com/advisory/ntap-20200724-0003/
• https://usn.ubuntu.com/4596-1/
• https://www.oracle.com/security-alerts/cpujan2021.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://nvd.nist.gov/vuln/detail/CVE-2020-13934
• https://lists.apache.org/thread.html/ra072b1f786e7d139e86f1d1145572e0ff71cef38a96d9c6f5362aac8@%3Cdev.tomcat.apache.org%3E
• https://security.netapp.com/advisory/ntap-20200724-0003
• https://usn.ubuntu.com/4596-1
• https://github.com/apache/tomcat