Alerts This Week
Warning Icon 1 923
Alerts This Week
Warning Icon 1 923

Debian 9: DLA-2286-1 Critical: Tomcat8 Denial Of Service Issues

debian lts
Calendar Grey July 22, 2020
Dist Debian Esm H88
Upgrading Tomcat 8 on Debian 9 is essential for improving security and performance. This guide provides detailed steps to address vulnerabilities while preserving your configurations
Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine
Topics%20covered

Topics Covered

security advisory denial of service update debian tomcat

Summary

CVE-2020-13934

An h2c direct connection to Apache Tomcat did not release the
HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient
number of such requests were made, an OutOfMemoryException could
occur leading to a denial of service.

CVE-2020-13935

The payload length in a WebSocket frame was not correctly validated
in Apache Tomcat. Invalid payload lengths could trigger an infinite
loop. Multiple requests with invalid payload lengths could lead to a
denial of service.

For Debian 9 stretch, these problems have been fixed in version
8.5.54-0+deb9u3.

We recommend that you upgrade your tomcat8 packages.

For the detailed security status of tomcat8 please refer to
its security tracker page at:

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
critical
Lowest
Low
Medium
High
Critical

Package: tomcat8
Version: 8.5.54-0+deb9u3
CVE ID: CVE-2020-13934 CVE-2020-13935

Topics%20covered

Topics Covered

security advisory denial of service update debian tomcat

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here