Impact
The version of Tomcat installed on the remote host is 8.5.x prior to 8.5.58 or 9.0.x prior to 9.0.38. It is, therefore, affected by a vulnerability. If an HTTP/2 client exceeds the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it is possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This can lead to users seeing responses for unexpected resources.
The default Percussion DTS configuration does not enable HTTP 2.0 connectors in Tomcat so users will not be affected by this vulnerability unless they have customized their DTS Tomcat implementation to use HTTP 2.0.
Patches
The 9.0.40 version is included in the 8.0.0 release. Note that Tomcat released an update to the 9.0.39 update as that introduced CVE-2020-17527 and [CVE-2021-24122] (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24122) so we have updated to the 9.0.40 version.
Workarounds
Use the default HTTP 1.x Tomcat connectors until applying this update.
References
For more information
If you have any questions or comments about this advisory:
Impact
The version of Tomcat installed on the remote host is 8.5.x prior to 8.5.58 or 9.0.x prior to 9.0.38. It is, therefore, affected by a vulnerability. If an HTTP/2 client exceeds the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it is possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This can lead to users seeing responses for unexpected resources.
The default Percussion DTS configuration does not enable HTTP 2.0 connectors in Tomcat so users will not be affected by this vulnerability unless they have customized their DTS Tomcat implementation to use HTTP 2.0.
Patches
The 9.0.40 version is included in the 8.0.0 release. Note that Tomcat released an update to the 9.0.39 update as that introduced CVE-2020-17527 and [CVE-2021-24122] (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24122) so we have updated to the 9.0.40 version.
Workarounds
Use the default HTTP 1.x Tomcat connectors until applying this update.
References
For more information
If you have any questions or comments about this advisory: