The impact of this issue announcement is moderate. Please act accordingly to rectify the issue, as stated below.
- Apache Tomcat 10.0.0-M1 to 10.0.0-M7
- Apache Tomcat 9.0.0.M5 to 9.0.37
- Apache Tomcat 8.5.1 to 8.5.57
What you need to know:
In a recent Security Advisory, Apache Software Foundation has released a patch for CVE-2020-13943, a flaw in Tomcat HTTP/2 Request Mixup.
According to Apache, if an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it could have been possible that a subsequent request made on that connection contains HTTP headers, including HTTP.2 pseudo headers from a previous request rather than the intended headers. This could then lead to users seeing responses for unexpected resources, and attackers obtaining sensitive information.
Actions to be taken:
As recommended by Apache Software Foundation for its mitigation, Tomcat users are advised to:
- Upgrade to Apache Tomcat 10.0.0-M8 or later
- Upgrade to Apache Tomcat 9.0.38 or later
- Upgrade to Apache Tomcat 8.5.58 or later