First published: Thu Jun 25 2020(Updated: )
A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. Reference: <a href="https://tomcat.apache.org/security-8.html">https://tomcat.apache.org/security-8.html</a>
Credit: security@apache.org security@apache.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/jws5-jboss-logging | <0:3.4.1-1.Final_redhat_00001.1.el6 | 0:3.4.1-1.Final_redhat_00001.1.el6 |
redhat/jws5-tomcat | <0:9.0.36-6.redhat_5.2.el6 | 0:9.0.36-6.redhat_5.2.el6 |
redhat/jws5-tomcat-native | <0:1.2.25-2.redhat_2.el6 | 0:1.2.25-2.redhat_2.el6 |
redhat/jws5-jboss-logging | <0:3.4.1-1.Final_redhat_00001.1.el7 | 0:3.4.1-1.Final_redhat_00001.1.el7 |
redhat/jws5-tomcat | <0:9.0.36-6.redhat_5.2.el7 | 0:9.0.36-6.redhat_5.2.el7 |
redhat/jws5-tomcat-native | <0:1.2.25-2.redhat_2.el7 | 0:1.2.25-2.redhat_2.el7 |
redhat/jws5-jboss-logging | <0:3.4.1-1.Final_redhat_00001.1.el8 | 0:3.4.1-1.Final_redhat_00001.1.el8 |
redhat/jws5-tomcat | <0:9.0.36-6.redhat_5.2.el8 | 0:9.0.36-6.redhat_5.2.el8 |
redhat/jws5-tomcat-native | <0:1.2.25-2.redhat_2.el8 | 0:1.2.25-2.redhat_2.el8 |
maven/org.apache.tomcat:tomcat | >=8.5.0<8.5.55 | 8.5.55 |
maven/org.apache.tomcat:tomcat | >=9.0.0.M1<9.0.35 | 9.0.35 |
maven/org.apache.tomcat:tomcat | >=10.0.0-M1<=10.0.0-M4 | 10.0.0-M5 |
redhat/tomcat | <10.0.0 | 10.0.0 |
redhat/tomcat | <9.0.36 | 9.0.36 |
redhat/tomcat | <8.5.56 | 8.5.56 |
Apache Tomcat | >=8.5.0<=8.5.55 | |
Apache Tomcat | >=9.0.0<=9.0.35 | |
Apache Tomcat | =9.0.0-milestone1 | |
Apache Tomcat | =9.0.0-milestone10 | |
Apache Tomcat | =9.0.0-milestone11 | |
Apache Tomcat | =9.0.0-milestone12 | |
Apache Tomcat | =9.0.0-milestone13 | |
Apache Tomcat | =9.0.0-milestone14 | |
Apache Tomcat | =9.0.0-milestone15 | |
Apache Tomcat | =9.0.0-milestone16 | |
Apache Tomcat | =9.0.0-milestone17 | |
Apache Tomcat | =9.0.0-milestone18 | |
Apache Tomcat | =9.0.0-milestone19 | |
Apache Tomcat | =9.0.0-milestone2 | |
Apache Tomcat | =9.0.0-milestone20 | |
Apache Tomcat | =9.0.0-milestone21 | |
Apache Tomcat | =9.0.0-milestone22 | |
Apache Tomcat | =9.0.0-milestone23 | |
Apache Tomcat | =9.0.0-milestone24 | |
Apache Tomcat | =9.0.0-milestone25 | |
Apache Tomcat | =9.0.0-milestone26 | |
Apache Tomcat | =9.0.0-milestone27 | |
Apache Tomcat | =9.0.0-milestone3 | |
Apache Tomcat | =9.0.0-milestone4 | |
Apache Tomcat | =9.0.0-milestone5 | |
Apache Tomcat | =9.0.0-milestone6 | |
Apache Tomcat | =9.0.0-milestone7 | |
Apache Tomcat | =9.0.0-milestone8 | |
Apache Tomcat | =9.0.0-milestone9 | |
Apache Tomcat | =10.0.0-milestone1 | |
Apache Tomcat | =10.0.0-milestone2 | |
Apache Tomcat | =10.0.0-milestone3 | |
Apache Tomcat | =10.0.0-milestone4 | |
Apache Tomcat | =10.0.0-milestone5 | |
Canonical Ubuntu Linux | =20.04 | |
Oracle Mysql Enterprise Monitor | <=8.0.21 | |
Oracle Siebel Ui Framework | <=20.12 | |
Oracle Workload Manager | =12.2.0.1 | |
Oracle Workload Manager | =18c | |
Oracle Workload Manager | =19c | |
openSUSE Leap | =15.1 | |
openSUSE Leap | =15.2 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
NetApp OnCommand System Manager | =3.0 | |
NetApp OnCommand System Manager | =3.1.3 | |
IBM Data Risk Manager | <=2.0.6 | |
debian/tomcat9 | 9.0.43-2~deb11u10 9.0.70-2 9.0.95-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2020-11996 is a vulnerability in Apache Tomcat that could trigger high CPU usage and make the server unresponsive.
CVE-2020-11996 can cause high CPU usage in Apache Tomcat and make the server unresponsive.
Apache Tomcat versions 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35, and 8.5.0 to 8.5.55 are affected by CVE-2020-11996.
CVE-2020-11996 has a severity rating of high.
You can find more information about CVE-2020-11996 on the Apache Tomcat website.