Hi Timmy,
Thanks for the ping. I’m sorry we didn’t get back to you earlier. In fact, our investigation showed this:
CVE-2020-11996 ==> only applies to WebSocket, that are explicitly disabled in our Tomcat configuration
CVE-2020-13934 ==> only for HTTP/2, that is not enabled
So nothing from this announcement affect us
Not that you can tell, but we did jump right onto this & closed the internal ticket on 14 Aug. We just forgot to get back to you on it.
We really do appreciate the time you took to make the report. I apologize for not being more responsive.
Ann
P.S. I’ve re-listed this topic.