Shulou(Shulou.com)06/01 Report--

How to understand the Apache Tomcat HTTP/2 denial of service attack vulnerability CVE-2020-11996? in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and easy way.

0x00 vulnerability background

June 29, 2020, 360CERT Monitoring found that apache officially issued a notice on the risk of a Tomcat http/2 denial of service attack, the vulnerability number is CVE-2020-11996, vulnerability level: medium danger.

Tomcat is a Servlet container developed by the Jakarta project under the Apache Software Foundation. According to the technical specifications provided by Sun Microsystems, it supports Servlet and JavaServer Page (JSP), and provides some unique functions as a Web server, such as Tomcat management and control platform, security domain management and Tomcat valve.

A maliciously constructed sequence of HTTP/2 requests can trigger high CPU usage within seconds. If a sufficient number of such requests are made on concurrent HTTP/2 connections, the server may become unresponsive.

In this regard, 360CERT recommends that the majority of users timely install the latest patches, do a good job of asset self-examination and prevention work, so as to avoid hacker attacks.

0x01 risk rating

360CERT's assessment of the vulnerability is as follows

Assessment methods, threat levels, medium risk impact areas, wide range of 0x02 vulnerability details

A maliciously constructed sequence of HTTP/2 requests can trigger high CPU usage within seconds. If a sufficient number of such requests are made on concurrent HTTP/2 connections, the server may become unresponsive.

0x03 affects version

Apache Tomcat: 10.0.0-M1 to 10.0.0-M5

Apache Tomcat: 9.0.0.M1 to 9.0.35

Apache Tomcat: 8.5.0 to 8.5.55

0x04 repair recommendations General patching recommendations:

Users of the Apache Tomcat 10.0.0-M1 to 10.0.0-M5 version upgrade to 10.0.0-M6 or later and can be downloaded from:

Https://tomcat.apache.org/download-10.cgi

Users of Apache Tomcat 9.0.0.M1 to version 9.0.35 upgrade to version 9.0.36 or later and can be downloaded from:

Https://tomcat.apache.org/download-90.cgi

Users of Apache Tomcat version 8.5.0 to 8.5.55 upgrade to version 8.5.56 or later and can be downloaded from:

Https://tomcat.apache.org/download-80.cgi

0x05 related spatial mapping data

Through surveying and mapping the assets of the whole network, it is found that Apache Tomcat is widely used all over the world, as shown in the following figure.

0x06 product side solution 360city-level network security monitoring service

The QUAKE asset mapping platform of the security brain monitors such vulnerabilities by means of asset mapping technology, and asks users to contact the relevant product area leaders to obtain the corresponding products.

This is the answer to the question about how to understand the Apache Tomcat HTTP/2 denial of service attack vulnerability CVE-2020-11996. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.