You are here

Apache Tomcat DoS Vulnerability on HTTP/2

Tomcat, DoS, Denial of Service, HTTP/2

The Apache Tomcat HTTP Server versions 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 are affected by a severe DoS vulnerability CVE-2020-11996. If the HTTP/2 implementation is used, an attacker could trigger high CPU usage for several seconds.

Airlock IAM is not affected

Airlock IAM versions 7.0 to 7.1 are not affected, since HTTP/2 is disabled and cannot be used. Older versions of Airlock IAM (6.4 and below) are not affected in the default configuration, as HTTP/2 is disabled. If HTTP/2 was manually enabled, Airlock WAF protects as described below.

Airlock WAF is not affected

Airlock WAF is not affected because HTTP/2 is disabled for the Apache Tomcat HTTP Server. Airlock WAF further protects back-ends, since HTTP/2 is not used for back-end connections.


No action is required.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Does not affect back-end behind Airlock