You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Mark Thomas <ma...@apache.org> on 2020/12/03 18:01:18 UTC

[SECURITY] CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up

CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0-M9
Apache Tomcat 9.0.0.M5 to 9.0.39
Apache Tomcat 8.5.1 to 8.5.59

Description:
While investigating Bug 64830 it was discovered that Apache Tomcat could
 re-use an HTTP request header value from the previous stream received
on an HTTP/2 connection for the request associated with the subsequent
stream. While this would most likely lead to an error and the closure of
the HTTP/2 connection, it is possible that information could leak
between requests.

Mitigation:
- Upgrade to Apache Tomcat 10.0.0-M10 or later
- Upgrade to Apache Tomcat 9.0.40 or later
- Upgrade to Apache Tomcat 8.5.60 or later

Credit:
This issue was identified by the Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-10.html
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html

Re: [SECURITY][CORRECTION] CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up

Posted by Mark Thomas <ma...@apache.org>.

Please note the updated affected version information below.

Mark


On 03/12/2020 18:01, Mark Thomas wrote:
> CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
> 
> Severity: Moderate
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0-M9
> Apache Tomcat 9.0.0.M5 to 9.0.39

This should be Apache Tomcat 9.0.0.M1 to 9.0.39

> Apache Tomcat 8.5.1 to 8.5.59

This should be Apache Tomcat 8.5.0 to 8.5.59


> 
> Description:
> While investigating Bug 64830 it was discovered that Apache Tomcat could
>  re-use an HTTP request header value from the previous stream received
> on an HTTP/2 connection for the request associated with the subsequent
> stream. While this would most likely lead to an error and the closure of
> the HTTP/2 connection, it is possible that information could leak
> between requests.
> 
> Mitigation:
> - Upgrade to Apache Tomcat 10.0.0-M10 or later
> - Upgrade to Apache Tomcat 9.0.40 or later
> - Upgrade to Apache Tomcat 8.5.60 or later
> 
> Credit:
> This issue was identified by the Apache Tomcat Security Team.
> 
> References:
> [1] http://tomcat.apache.org/security-10.html
> [2] http://tomcat.apache.org/security-9.html
> [3] http://tomcat.apache.org/security-8.html
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [SECURITY][CORRECTION] CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up

Posted by Mark Thomas <ma...@apache.org>.

Please note the updated affected version information below.

Mark


On 03/12/2020 18:01, Mark Thomas wrote:
> CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
> 
> Severity: Moderate
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0-M9
> Apache Tomcat 9.0.0.M5 to 9.0.39

This should be Apache Tomcat 9.0.0.M1 to 9.0.39

> Apache Tomcat 8.5.1 to 8.5.59

This should be Apache Tomcat 8.5.0 to 8.5.59


> 
> Description:
> While investigating Bug 64830 it was discovered that Apache Tomcat could
>  re-use an HTTP request header value from the previous stream received
> on an HTTP/2 connection for the request associated with the subsequent
> stream. While this would most likely lead to an error and the closure of
> the HTTP/2 connection, it is possible that information could leak
> between requests.
> 
> Mitigation:
> - Upgrade to Apache Tomcat 10.0.0-M10 or later
> - Upgrade to Apache Tomcat 9.0.40 or later
> - Upgrade to Apache Tomcat 8.5.60 or later
> 
> Credit:
> This issue was identified by the Apache Tomcat Security Team.
> 
> References:
> [1] http://tomcat.apache.org/security-10.html
> [2] http://tomcat.apache.org/security-9.html
> [3] http://tomcat.apache.org/security-8.html
>

Re: [SECURITY][CORRECTION] CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up

Posted by Mark Thomas <ma...@apache.org>.

Please note the updated affected version information below.

Mark


On 03/12/2020 18:01, Mark Thomas wrote:
> CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
> 
> Severity: Moderate
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0-M9
> Apache Tomcat 9.0.0.M5 to 9.0.39

This should be Apache Tomcat 9.0.0.M1 to 9.0.39

> Apache Tomcat 8.5.1 to 8.5.59

This should be Apache Tomcat 8.5.0 to 8.5.59


> 
> Description:
> While investigating Bug 64830 it was discovered that Apache Tomcat could
>  re-use an HTTP request header value from the previous stream received
> on an HTTP/2 connection for the request associated with the subsequent
> stream. While this would most likely lead to an error and the closure of
> the HTTP/2 connection, it is possible that information could leak
> between requests.
> 
> Mitigation:
> - Upgrade to Apache Tomcat 10.0.0-M10 or later
> - Upgrade to Apache Tomcat 9.0.40 or later
> - Upgrade to Apache Tomcat 8.5.60 or later
> 
> Credit:
> This issue was identified by the Apache Tomcat Security Team.
> 
> References:
> [1] http://tomcat.apache.org/security-10.html
> [2] http://tomcat.apache.org/security-9.html
> [3] http://tomcat.apache.org/security-8.html
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [SECURITY][CORRECTION] CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up

Posted by Mark Thomas <ma...@apache.org>.

Please note the updated affected version information below.

Mark


On 03/12/2020 18:01, Mark Thomas wrote:
> CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
> 
> Severity: Moderate
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0-M9
> Apache Tomcat 9.0.0.M5 to 9.0.39

This should be Apache Tomcat 9.0.0.M1 to 9.0.39

> Apache Tomcat 8.5.1 to 8.5.59

This should be Apache Tomcat 8.5.0 to 8.5.59


> 
> Description:
> While investigating Bug 64830 it was discovered that Apache Tomcat could
>  re-use an HTTP request header value from the previous stream received
> on an HTTP/2 connection for the request associated with the subsequent
> stream. While this would most likely lead to an error and the closure of
> the HTTP/2 connection, it is possible that information could leak
> between requests.
> 
> Mitigation:
> - Upgrade to Apache Tomcat 10.0.0-M10 or later
> - Upgrade to Apache Tomcat 9.0.40 or later
> - Upgrade to Apache Tomcat 8.5.60 or later
> 
> Credit:
> This issue was identified by the Apache Tomcat Security Team.
> 
> References:
> [1] http://tomcat.apache.org/security-10.html
> [2] http://tomcat.apache.org/security-9.html
> [3] http://tomcat.apache.org/security-8.html
>