You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by "Richard Zowalla (Jira)" <ji...@apache.org> on 2021/03/19 13:44:00 UTC

[jira] [Updated] (TOMEE-2936) TomEE plus(7.0.9) is affected by CVE-2020-17527(BDSA-2020-3628) vulnerability.

     [ https://issues.apache.org/jira/browse/TOMEE-2936?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Richard Zowalla updated TOMEE-2936:
-----------------------------------
    Fix Version/s: 7.0.10

> TomEE plus(7.0.9) is affected by CVE-2020-17527(BDSA-2020-3628) vulnerability.
> ------------------------------------------------------------------------------
>
>                 Key: TOMEE-2936
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2936
>             Project: TomEE
>          Issue Type: Bug
>    Affects Versions: 7.0.7, 7.0.8, 7.0.9
>            Reporter: Hariprasad tammineni
>            Assignee: Jonathan Gallimore
>            Priority: Major
>             Fix For: 7.0.10
>
>
> TomEE plus (7.0.9) is using Apache Tomcat 8.5.57 version which is affected by vulnerability [CVE-2020-17527|https://blackduck.opentext.net/api/vulnerabilities/CVE-2020-17527]([BDSA-2020-3628|https://blackduck.opentext.net/api/vulnerabilities/BDSA-2020-3628]) with CVSS score of *7.5(base)* which results in information disclosure via **HTTP/2** request header mix-up
> Apache Tomcat([*8.5.60*|https://github.com/apache/tomcat/releases/tag/8.5.60]) addresses this vulnerability. Is there any scheduled release of TomEE plus(7.0.9) with this component ?
> If not planned, can you please upgrade TomEE plus(7.0.9) with Apache Tomcat(8.5.60) version or later which addresses this vulnerability.
> h2. Technical Description
> This issue occurs in the {{java/org/apache/coyote/http2/HpackDecoder.java}} file and relates to the {{StringBuilder}} method. It was mitigated by amending the method by moving it within the {{readHpackString}} function and by including a length check.
> ----
> h4. References and Related Links
>  
> h4. Advisories
>  * [http://tomcat.apache.org/security-10.html]
>  * [http://tomcat.apache.org/security-8.html]
>  * [http://tomcat.apache.org/security-9.html]
>  
> h4. Vendor Upgrade
>  * [https://github.com/apache/tomcat/releases]
>  * [https://github.com/apache/tomcat/releases/tag/10.0.0-M10]
>  * [https://github.com/apache/tomcat/releases/tag/8.5.60]
>  * [https://github.com/apache/tomcat/releases/tag/9.0.40]
> h4. Patch
>  * [https://github.com/apache/tomcat/commit/21e3408671aac7e0d7e264e720cac8b1b189eb29]
>  * [https://github.com/apache/tomcat/commit/8d2fe6894d6e258a6d615d7f786acca80e6020cb]
>  * [https://github.com/apache/tomcat/commit/d56293f816d6dc9e2b47107f208fa9e95db58c65]
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)