You are here

Home › Apache Tomcat DoS Vulnerability on HTTP/2

Apache Tomcat DoS Vulnerability on HTTP/2

Submitted on 6. July 2020 - 9:41 by bgre.
Last update on 6. July 2020 - 11:40.
IDs: 
CVE-2020-11996
Keywords: 
Tomcat, DoS, Denial of Service, HTTP/2
Description: 

The Apache Tomcat HTTP Server versions 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 are affected by a severe DoS vulnerability CVE-2020-11996. If the HTTP/2 implementation is used, an attacker could trigger high CPU usage for several seconds.

Airlock IAM is not affected

Airlock IAM versions 7.0 to 7.1 are not affected, since HTTP/2 is disabled and cannot be used. Older versions of Airlock IAM (6.4 and below) are not affected in the default configuration, as HTTP/2 is disabled. If HTTP/2 was manually enabled, Airlock WAF protects as described below.

Airlock WAF is not affected

Airlock WAF is not affected because HTTP/2 is disabled for the Apache Tomcat HTTP Server. Airlock WAF further protects back-ends, since HTTP/2 is not used for back-end connections.

Resolution: 

No action is required.

Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock
Reference: 
[1] Apache Tomcat 8.x vulnerabilities
[2] Apache Tomcat 9.x vulnerabilities
© Ergon Informatik AG