Tomcat vulnerability

timmy.fieremans · August 11, 2020, 2:30pm

Hi,

I am running Sonarqube 7.9.3 LTS version. I got to know this is running tomcat embedded version 8.5.38. Since 14th of July there was an announcement of Tomcat:

“Affected versions of this package are vulnerable to Denial of Service (DoS). The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.”

They recommend to upgrade to version 8.5.57 or higher. Will there be a new patch released soon to fix this? If not can we just replace the current embedded tomcat version by 8.5.57 or will there be some consequences for my installation of Sonarqube?

Kind regards,
Timmy

ganncamp · August 11, 2020, 5:12pm

Hi Timmy,

Welcome to the community, and thanks for this report.

So you know, I’ve de-listed this post until our internal security folks can look at the issue.

For future reference, here’s our Responsible Vulnerability Disclosure policy

Thx,
Ann

timmy.fieremans · August 12, 2020, 9:00am

Hi,

Thanks for taking this up.

Kind regards,
Timmy

timmy.fieremans · September 1, 2020, 12:19pm

Hi,
Any update on this?

Kind regards,
Timmy

ganncamp · September 1, 2020, 12:45pm

Hi Timmy,

Thanks for the ping. I’m sorry we didn’t get back to you earlier. In fact, our investigation showed this:

CVE-2020-11996 ==> only applies to WebSocket, that are explicitly disabled in our Tomcat configuration

CVE-2020-13934 ==> only for HTTP/2, that is not enabled

So nothing from this announcement affect us

Not that you can tell, but we did jump right onto this & closed the internal ticket on 14 Aug. We just forgot to get back to you on it.

We really do appreciate the time you took to make the report. I apologize for not being more responsive.

Ann

P.S. I’ve re-listed this topic.

timmy.fieremans · September 4, 2020, 7:20am

Hi Ann,

Thank you for replying.
Just to be 100% sure. In the link you send they speak of CVE-2020-13935, which is not mentioned in your reply. Is your first CVE-2020-11996 a typo?

Kind regards,
Timmy

pierreguillot · September 7, 2020, 9:12am

Hi, to sums things up:

Fixed in Apache Tomcat 10.0.0-M7

CVE-2020-13935: only affect WebSockets, that are explicitly disabled on SQ
CVE-2020-13934: affect http/1->http/2 connexion upgrade, disabled on SQ

Fixed in Apache Tomcat 10.0.0-M6

CVE-2020-11996: only affect http/2, disabled on SQ

Anantha_Madhava · November 10, 2020, 5:31am

Thanks Pierre and Ann for the replies.
I too have a SonarQube v7.9.3 both Community and Commercial editions running.
Please confirm about CVE-2020-13943 also.

Tobias_Trabelsi · November 10, 2020, 1:30pm

Hi @Anantha_Madhava ,

i can confirm that http/2 is explicitly disabled, so sonarqube is not vulnerable to CVE-2020-13943

Anantha_Madhava · November 11, 2020, 5:17am

Thanks a lot Tobias.

system · November 18, 2020, 5:17am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.