You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2020/12/03 18:01:18 UTC
[SECURITY] CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0-M9
Apache Tomcat 9.0.0.M5 to 9.0.39
Apache Tomcat 8.5.1 to 8.5.59
Description:
While investigating Bug 64830 it was discovered that Apache Tomcat could
re-use an HTTP request header value from the previous stream received
on an HTTP/2 connection for the request associated with the subsequent
stream. While this would most likely lead to an error and the closure of
the HTTP/2 connection, it is possible that information could leak
between requests.
Mitigation:
- Upgrade to Apache Tomcat 10.0.0-M10 or later
- Upgrade to Apache Tomcat 9.0.40 or later
- Upgrade to Apache Tomcat 8.5.60 or later
Credit:
This issue was identified by the Apache Tomcat Security Team.
References:
[1] http://tomcat.apache.org/security-10.html
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [SECURITY][CORRECTION] CVE-2020-17527 Apache Tomcat HTTP/2
Request header mix-up
Posted by Mark Thomas <ma...@apache.org>.
Please note the updated affected version information below.
Mark
On 03/12/2020 18:01, Mark Thomas wrote:
> CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
>
> Severity: Moderate
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0-M9
> Apache Tomcat 9.0.0.M5 to 9.0.39
This should be Apache Tomcat 9.0.0.M1 to 9.0.39
> Apache Tomcat 8.5.1 to 8.5.59
This should be Apache Tomcat 8.5.0 to 8.5.59
>
> Description:
> While investigating Bug 64830 it was discovered that Apache Tomcat could
> re-use an HTTP request header value from the previous stream received
> on an HTTP/2 connection for the request associated with the subsequent
> stream. While this would most likely lead to an error and the closure of
> the HTTP/2 connection, it is possible that information could leak
> between requests.
>
> Mitigation:
> - Upgrade to Apache Tomcat 10.0.0-M10 or later
> - Upgrade to Apache Tomcat 9.0.40 or later
> - Upgrade to Apache Tomcat 8.5.60 or later
>
> Credit:
> This issue was identified by the Apache Tomcat Security Team.
>
> References:
> [1] http://tomcat.apache.org/security-10.html
> [2] http://tomcat.apache.org/security-9.html
> [3] http://tomcat.apache.org/security-8.html
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [SECURITY][CORRECTION] CVE-2020-17527 Apache Tomcat HTTP/2
Request header mix-up
Posted by Mark Thomas <ma...@apache.org>.
Please note the updated affected version information below.
Mark
On 03/12/2020 18:01, Mark Thomas wrote:
> CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
>
> Severity: Moderate
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0-M9
> Apache Tomcat 9.0.0.M5 to 9.0.39
This should be Apache Tomcat 9.0.0.M1 to 9.0.39
> Apache Tomcat 8.5.1 to 8.5.59
This should be Apache Tomcat 8.5.0 to 8.5.59
>
> Description:
> While investigating Bug 64830 it was discovered that Apache Tomcat could
> re-use an HTTP request header value from the previous stream received
> on an HTTP/2 connection for the request associated with the subsequent
> stream. While this would most likely lead to an error and the closure of
> the HTTP/2 connection, it is possible that information could leak
> between requests.
>
> Mitigation:
> - Upgrade to Apache Tomcat 10.0.0-M10 or later
> - Upgrade to Apache Tomcat 9.0.40 or later
> - Upgrade to Apache Tomcat 8.5.60 or later
>
> Credit:
> This issue was identified by the Apache Tomcat Security Team.
>
> References:
> [1] http://tomcat.apache.org/security-10.html
> [2] http://tomcat.apache.org/security-9.html
> [3] http://tomcat.apache.org/security-8.html
>
Re: [SECURITY][CORRECTION] CVE-2020-17527 Apache Tomcat HTTP/2
Request header mix-up
Posted by Mark Thomas <ma...@apache.org>.
Please note the updated affected version information below.
Mark
On 03/12/2020 18:01, Mark Thomas wrote:
> CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
>
> Severity: Moderate
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0-M9
> Apache Tomcat 9.0.0.M5 to 9.0.39
This should be Apache Tomcat 9.0.0.M1 to 9.0.39
> Apache Tomcat 8.5.1 to 8.5.59
This should be Apache Tomcat 8.5.0 to 8.5.59
>
> Description:
> While investigating Bug 64830 it was discovered that Apache Tomcat could
> re-use an HTTP request header value from the previous stream received
> on an HTTP/2 connection for the request associated with the subsequent
> stream. While this would most likely lead to an error and the closure of
> the HTTP/2 connection, it is possible that information could leak
> between requests.
>
> Mitigation:
> - Upgrade to Apache Tomcat 10.0.0-M10 or later
> - Upgrade to Apache Tomcat 9.0.40 or later
> - Upgrade to Apache Tomcat 8.5.60 or later
>
> Credit:
> This issue was identified by the Apache Tomcat Security Team.
>
> References:
> [1] http://tomcat.apache.org/security-10.html
> [2] http://tomcat.apache.org/security-9.html
> [3] http://tomcat.apache.org/security-8.html
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [SECURITY][CORRECTION] CVE-2020-17527 Apache Tomcat HTTP/2
Request header mix-up
Posted by Mark Thomas <ma...@apache.org>.
Please note the updated affected version information below.
Mark
On 03/12/2020 18:01, Mark Thomas wrote:
> CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
>
> Severity: Moderate
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0-M9
> Apache Tomcat 9.0.0.M5 to 9.0.39
This should be Apache Tomcat 9.0.0.M1 to 9.0.39
> Apache Tomcat 8.5.1 to 8.5.59
This should be Apache Tomcat 8.5.0 to 8.5.59
>
> Description:
> While investigating Bug 64830 it was discovered that Apache Tomcat could
> re-use an HTTP request header value from the previous stream received
> on an HTTP/2 connection for the request associated with the subsequent
> stream. While this would most likely lead to an error and the closure of
> the HTTP/2 connection, it is possible that information could leak
> between requests.
>
> Mitigation:
> - Upgrade to Apache Tomcat 10.0.0-M10 or later
> - Upgrade to Apache Tomcat 9.0.40 or later
> - Upgrade to Apache Tomcat 8.5.60 or later
>
> Credit:
> This issue was identified by the Apache Tomcat Security Team.
>
> References:
> [1] http://tomcat.apache.org/security-10.html
> [2] http://tomcat.apache.org/security-9.html
> [3] http://tomcat.apache.org/security-8.html
>