I am running Sonarqube 7.9.3 LTS version. I got to know this is running tomcat embedded version 8.5.38. Since 14th of July there was an announcement of Tomcat:
“Affected versions of this package are vulnerable to Denial of Service (DoS). The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.”
They recommend to upgrade to version 8.5.57 or higher. Will there be a new patch released soon to fix this? If not can we just replace the current embedded tomcat version by 8.5.57 or will there be some consequences for my installation of Sonarqube?
Thank you for replying.
Just to be 100% sure. In the link you send they speak of CVE-2020-13935, which is not mentioned in your reply. Is your first CVE-2020-11996 a typo?
Thanks Pierre and Ann for the replies.
I too have a SonarQube v7.9.3 both Community and Commercial editions running.
Please confirm about CVE-2020-13943 also.