CVE-2020-1935: XSS
First published: Mon Feb 24 2020(Updated: )
A flaw was found in Apache Tomcat. The HTTP header parsing code used an approach to end-of-line (EOL) parsing that allowed some invalid HTTP headers to be parsed as valid. This led to the possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. The highest threat with this vulnerability is system availability.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/tomcat | <0:7.0.76-16.el7_9 | 0:7.0.76-16.el7_9 |
| redhat/tomcat | <0:7.0.76-11.el7_6 | 0:7.0.76-11.el7_6 |
| redhat/tomcat | <0:7.0.76-12.el7_7 | 0:7.0.76-12.el7_7 |
| redhat/tomcat7 | <0:7.0.70-41.ep7.el6 | 0:7.0.70-41.ep7.el6 |
| redhat/tomcat8 | <0:8.0.36-45.ep7.el6 | 0:8.0.36-45.ep7.el6 |
| redhat/tomcat7 | <0:7.0.70-41.ep7.el7 | 0:7.0.70-41.ep7.el7 |
| redhat/tomcat8 | <0:8.0.36-45.ep7.el7 | 0:8.0.36-45.ep7.el7 |
| redhat/jws5-tomcat | <0:9.0.30-3.redhat_4.1.el6 | 0:9.0.30-3.redhat_4.1.el6 |
| redhat/jws5-tomcat-native | <0:1.2.23-4.redhat_4.el6 | 0:1.2.23-4.redhat_4.el6 |
| redhat/jws5-tomcat | <0:9.0.30-3.redhat_4.1.el7 | 0:9.0.30-3.redhat_4.1.el7 |
| redhat/jws5-tomcat-native | <0:1.2.23-4.redhat_4.el7 | 0:1.2.23-4.redhat_4.el7 |
| redhat/jws5-tomcat | <0:9.0.30-3.redhat_4.1.el8 | 0:9.0.30-3.redhat_4.1.el8 |
| redhat/jws5-tomcat-native | <0:1.2.23-4.redhat_4.el8 | 0:1.2.23-4.redhat_4.el8 |
| redhat/tomcat | <9.0.31 | 9.0.31 |
| redhat/tomcat | <8.5.51 | 8.5.51 |
| redhat/tomcat | <7.0.100 | 7.0.100 |
| Apache Tomcat | >=7.0.0<=7.0.99 | |
| Apache Tomcat | >=8.5.0<=8.5.50 | |
| Apache Tomcat | >=9.0.0<=9.0.30 | |
| Apache Tomcat | =9.0.0 | |
| Apache Tomcat | =9.0.0-milestone1 | |
| Apache Tomcat | =9.0.0-milestone10 | |
| Apache Tomcat | =9.0.0-milestone11 | |
| Apache Tomcat | =9.0.0-milestone12 | |
| Apache Tomcat | =9.0.0-milestone13 | |
| Apache Tomcat | =9.0.0-milestone14 | |
| Apache Tomcat | =9.0.0-milestone15 | |
| Apache Tomcat | =9.0.0-milestone16 | |
| Apache Tomcat | =9.0.0-milestone17 | |
| Apache Tomcat | =9.0.0-milestone18 | |
| Apache Tomcat | =9.0.0-milestone19 | |
| Apache Tomcat | =9.0.0-milestone2 | |
| Apache Tomcat | =9.0.0-milestone20 | |
| Apache Tomcat | =9.0.0-milestone21 | |
| Apache Tomcat | =9.0.0-milestone22 | |
| Apache Tomcat | =9.0.0-milestone23 | |
| Apache Tomcat | =9.0.0-milestone24 | |
| Apache Tomcat | =9.0.0-milestone25 | |
| Apache Tomcat | =9.0.0-milestone26 | |
| Apache Tomcat | =9.0.0-milestone27 | |
| Apache Tomcat | =9.0.0-milestone3 | |
| Apache Tomcat | =9.0.0-milestone4 | |
| Apache Tomcat | =9.0.0-milestone5 | |
| Apache Tomcat | =9.0.0-milestone6 | |
| Apache Tomcat | =9.0.0-milestone7 | |
| Apache Tomcat | =9.0.0-milestone8 | |
| Apache Tomcat | =9.0.0-milestone9 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Canonical Ubuntu Linux | =16.04 | |
| openSUSE Leap | =15.1 | |
| Netapp Data Availability Services | ||
| NetApp OnCommand System Manager | >=3.0.0<=3.1.3 | |
| Oracle Agile Engineering Data Management | =6.2.1.0 | |
| Oracle Agile Product Lifecycle Management | =9.3.3 | |
| Oracle Agile Product Lifecycle Management | =9.3.5 | |
| Oracle Agile Product Lifecycle Management | =9.3.6 | |
| Oracle Communications Element Manager | =8.1.1 | |
| Oracle Communications Element Manager | =8.2.0 | |
| Oracle Communications Element Manager | =8.2.1 | |
| Oracle Communications Instant Messaging Server | =10.0.1.4.0 | |
| Oracle Health Sciences Empirica Inspections | =1.0.1.2 | |
| Oracle Health Sciences Empirica Signal | =7.3.3 | |
| Oracle Hospitality Guest Access | =4.2.0 | |
| Oracle Hospitality Guest Access | =4.2.1 | |
| Oracle Hyperion Infrastructure Technology | =11.1.2.4 | |
| Oracle Instantis Enterprisetrack | >=17.1<=17.3 | |
| Oracle Mysql Enterprise Monitor | >=4.0.0<=4.0.12 | |
| Oracle Mysql Enterprise Monitor | >=8.0.0<=8.0.20 | |
| Oracle Retail Order Broker | =15.0 | |
| Oracle Siebel Ui Framework | <=20.5 | |
| Oracle Transportation Management | =6.3.7 | |
| Oracle Workload Manager | =12.2.0.1 | |
| Oracle Workload Manager | =18c | |
| Oracle Workload Manager | =19c | |
| IBM Data Risk Manager | <=2.0.6 | |
| debian/tomcat9 | 9.0.43-2~deb11u10 9.0.70-2 9.0.95-1 |
Remedy
Workaround for Red Hat Satellite 6 is to add iptables rule to deny TCP requests of Tomcat that are not originating from the Satellite. For other Red Hat products, either mitigation isn't available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-1935 https://nvd.nist.gov/vuln/detail/CVE-2020-1935 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51 https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
- https://bugzilla.redhat.com/show_bug.cgi?id=1806835
- https://access.redhat.com/errata/RHSA-2020:5020
- https://access.redhat.com/errata/RHSA-2021:0882
- https://access.redhat.com/errata/RHSA-2021:1030
- https://access.redhat.com/errata/RHSA-2020:4847
- https://access.redhat.com/errata/RHSA-2021:3140
- https://access.redhat.com/errata/RHSA-2020:3305
- https://access.redhat.com/errata/RHSA-2020:3303
- https://access.redhat.com/errata/RHSA-2020:1520
- https://access.redhat.com/errata/RHSA-2020:1521
- https://access.redhat.com/errata/RHSA-2020:2367
- https://access.redhat.com/security/cve/cve-2020-1935
- https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html
- https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E
- https://security.netapp.com/advisory/ntap-20200327-0005/
- https://www.debian.org/security/2020/dsa-4673
- https://www.debian.org/security/2020/dsa-4680
- https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1@%3Cusers.tomcat.apache.org%3E
- https://usn.ubuntu.com/4448-1/
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6@%3Cdev.tomcat.apache.org%3E
- https://launchpad.net/bugs/cve/CVE-2020-1935
- https://github.com/apache/tomcat/commit/8bfb0ff
- https://github.com/apache/tomcat/commit/8fbe2e9
- https://github.com/apache/tomcat/commit/702bf15
- https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100
- https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
- https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3E
- https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18%40%3Cusers.tomcat.apache.org%3E
- https://github.com/apache/tomcat/commit/8bfb0ff7f25fe7555a5eb2f7984f73546c11aa26
- https://github.com/apache/tomcat/commit/8fbe2e962f0ea138d92361921643fe5abe0c4f56
- https://github.com/apache/tomcat/commit/702bf15bea292915684d931526d95d4990b2e73d
- https://security-tracker.debian.org/tracker/CVE-2020-1935
- https://exchange.xforce.ibmcloud.com/vulnerabilities/176788
- https://www.ibm.com/support/pages/node/6335281 (Advisory)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1935
- https://nvd.nist.gov/vuln/detail/CVE-2020-1935
- https://ubuntu.com/security/CVE-2020-1935
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/weakness
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-1935
- agent/software-canonical-lookup
- agent/remedy
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- collector/security-tracker-debian
- source/Debian
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/ibm-support
- source/IBM
- agent/references
- agent/softwarecombine
- agent/tags
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/7.0.0
- version/apache tomcat/7.0.99
- version/apache tomcat/8.5.0
- version/apache tomcat/8.5.50
- version/apache tomcat/9.0.0
- version/apache tomcat/9.0.30
- version/apache tomcat/9.0.0-milestone1
- version/apache tomcat/9.0.0-milestone10
- version/apache tomcat/9.0.0-milestone11
- version/apache tomcat/9.0.0-milestone12
- version/apache tomcat/9.0.0-milestone13
- version/apache tomcat/9.0.0-milestone14
- version/apache tomcat/9.0.0-milestone15
- version/apache tomcat/9.0.0-milestone16
- version/apache tomcat/9.0.0-milestone17
- version/apache tomcat/9.0.0-milestone18
- version/apache tomcat/9.0.0-milestone19
- version/apache tomcat/9.0.0-milestone2
- version/apache tomcat/9.0.0-milestone20
- version/apache tomcat/9.0.0-milestone21
- version/apache tomcat/9.0.0-milestone22
- version/apache tomcat/9.0.0-milestone23
- version/apache tomcat/9.0.0-milestone24
- version/apache tomcat/9.0.0-milestone25
- version/apache tomcat/9.0.0-milestone26
- version/apache tomcat/9.0.0-milestone27
- version/apache tomcat/9.0.0-milestone3
- version/apache tomcat/9.0.0-milestone4
- version/apache tomcat/9.0.0-milestone5
- version/apache tomcat/9.0.0-milestone6
- version/apache tomcat/9.0.0-milestone7
- version/apache tomcat/9.0.0-milestone8
- version/apache tomcat/9.0.0-milestone9
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/16.04
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- vendor/netapp
- canonical/netapp data availability services
- canonical/netapp oncommand system manager
- version/netapp oncommand system manager/3.0.0
- version/netapp oncommand system manager/3.1.3
- vendor/oracle
- canonical/oracle agile engineering data management
- version/oracle agile engineering data management/6.2.1.0
- canonical/oracle agile product lifecycle management
- version/oracle agile product lifecycle management/9.3.3
- version/oracle agile product lifecycle management/9.3.5
- version/oracle agile product lifecycle management/9.3.6
- canonical/oracle communications element manager
- version/oracle communications element manager/8.1.1
- version/oracle communications element manager/8.2.0
- version/oracle communications element manager/8.2.1
- canonical/oracle communications instant messaging server
- version/oracle communications instant messaging server/10.0.1.4.0
- canonical/oracle health sciences empirica inspections
- version/oracle health sciences empirica inspections/1.0.1.2
- canonical/oracle health sciences empirica signal
- version/oracle health sciences empirica signal/7.3.3
- canonical/oracle hospitality guest access
- version/oracle hospitality guest access/4.2.0
- version/oracle hospitality guest access/4.2.1
- canonical/oracle hyperion infrastructure technology
- version/oracle hyperion infrastructure technology/11.1.2.4
- canonical/oracle instantis enterprisetrack
- version/oracle instantis enterprisetrack/17.1
- version/oracle instantis enterprisetrack/17.3
- canonical/oracle mysql enterprise monitor
- version/oracle mysql enterprise monitor/4.0.0
- version/oracle mysql enterprise monitor/4.0.12
- version/oracle mysql enterprise monitor/8.0.0
- version/oracle mysql enterprise monitor/8.0.20
- canonical/oracle retail order broker
- version/oracle retail order broker/15.0
- canonical/oracle siebel ui framework
- version/oracle siebel ui framework/20.5
- canonical/oracle transportation management
- version/oracle transportation management/6.3.7
- canonical/oracle workload manager
- version/oracle workload manager/12.2.0.1
- version/oracle workload manager/18c
- version/oracle workload manager/19c
- package-manager/debian
- vendor/ibm
- canonical/ibm data risk manager
- version/ibm data risk manager/2.0.6