CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service

["Kasteleijn, Wilco" <wi...@elemica.com>]

Hello, we would like to know if this vulnerability is only applicable for usage of the coyote http connector?
We are using Tomcat 8.5.55 in combination with a apache HTTPD proxy setup that is connected via the AJP connector. Are we also affected in that case?
Regards, Wilco.


This message contains confidential or privileged information and is intended only for the individual named. If you have received it by mistake, please let us know by e-mail reply and delete it from your system; you may not copy this message or disclose its contents to anyone. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Nothing in this email is intended to bind Elemica, Inc., which only operates under the terms of written agreements signed by an authorized officer. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.

Disclaimer

The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website.

Re: CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service

[Mark Thomas <ma...@apache.org>]

On 26/06/2020 13:35, Kasteleijn, Wilco wrote:
> Hello, we would like to know if this vulnerability is only applicable for usage of the coyote http connector?

It only applies when using the HTTP/2 protocol. That is only available
with an HTTP connector.

> We are using Tomcat 8.5.55 in combination with a apache HTTPD proxy setup that is connected via the AJP connector. Are we also affected in that case?

No. AJP is not affected.

Mark


> Regards, Wilco.
> 
> 
> This message contains confidential or privileged information and is intended only for the individual named. If you have received it by mistake, please let us know by e-mail reply and delete it from your system; you may not copy this message or disclose its contents to anyone. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Nothing in this email is intended to bind Elemica, Inc., which only operates under the terms of written agreements signed by an authorized officer. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission.
> 
> Disclaimer
> 
> The information contained in this communication from the sender is confidential. It is intended solely for use by the recipient and others authorized to receive it. If you are not the recipient, you are hereby notified that any disclosure, copying, distribution or taking action in relation of the contents of this information is strictly prohibited and may be unlawful.
> 
> This email has been scanned for viruses and malware, and may have been automatically archived by Mimecast Ltd, an innovator in Software as a Service (SaaS) for business. Providing a safer and more useful place for your human generated data. Specializing in; Security, archiving and compliance. To find out more visit the Mimecast website.
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org