Tomcat vulnerability

Hi,

I am running Sonarqube 7.9.3 LTS version. I got to know this is running tomcat embedded version 8.5.38. Since 14th of July there was an announcement of Tomcat:

“Affected versions of this package are vulnerable to Denial of Service (DoS). The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.”

They recommend to upgrade to version 8.5.57 or higher. Will there be a new patch released soon to fix this? If not can we just replace the current embedded tomcat version by 8.5.57 or will there be some consequences for my installation of Sonarqube?

Kind regards,
Timmy

Hi Timmy,

Welcome to the community, and thanks for this report.

So you know, I’ve de-listed this post until our internal security folks can look at the issue.

For future reference, here’s our Responsible Vulnerability Disclosure policy

 
Thx,
Ann

Hi,

Thanks for taking this up.

Kind regards,
Timmy

Hi,
Any update on this?

Kind regards,
Timmy

Hi Timmy,

Thanks for the ping. I’m sorry we didn’t get back to you earlier. In fact, our investigation showed this:

CVE-2020-11996 ==> only applies to WebSocket, that are explicitly disabled in our Tomcat configuration

CVE-2020-13934 ==> only for HTTP/2, that is not enabled

So nothing from this announcement affect us

Not that you can tell, but we did jump right onto this & closed the internal ticket on 14 Aug. We just forgot to get back to you on it.

We really do appreciate the time you took to make the report. I apologize for not being more responsive.

 
Ann

P.S. I’ve re-listed this topic.

Hi Ann,

Thank you for replying.
Just to be 100% sure. In the link you send they speak of CVE-2020-13935, which is not mentioned in your reply. Is your first CVE-2020-11996 a typo?

Kind regards,
Timmy

Hi, to sums things up:

Fixed in Apache Tomcat 10.0.0-M7

CVE-2020-13935: only affect WebSockets, that are explicitly disabled on SQ
CVE-2020-13934: affect http/1->http/2 connexion upgrade, disabled on SQ

Fixed in Apache Tomcat 10.0.0-M6

CVE-2020-11996: only affect http/2, disabled on SQ