CVE-2020-11996 Apache Tomcat High CPU Usage Or DoS Attack

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities (CVEs)

1.1        Vulnerability Summary

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If enough of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

Watch the video to learn more about this and other important vulnerabilities.

1.2        CVSS Score

The CVSS Base Score is 7.5 (High)

1.3        Affected Version

Apache Tomcat 10.0.0-M1 to 10.0.0-M5

Apache Tomcat 9.0.0.M1 to 9.0.35

Apache Tomcat 8.5.0 to 8.5.55 (March 2016)

Vulnerability Attribution

This issue was reported publicly via the Apache Tomcat Users mailing list without reference to the potential for DoS. The DoS risks were identified by the Apache Tomcat Security Team.

Risk Impact

A publicly disclosed exploit code is available here. Based on this link from 2010, Apache Tomcat has been downloaded 10 Million times. Tomcat has 60% market share of Java Application servers. Given that Apache Tomcat powers a broad range of web applications across countless industries and use cases, from Fortune 500 conglomerates to service providers to eCommerce systems, it is reasonable to estimate that 10s of millions of this software are in use.

Virsec Security Platform (VSP) Support

The Virsec Security Platform (VSP)-Mem’s exception handling capability can be used to identify the malicious traffic and then the VSP Protection Engine can fire an upstream Protection Action into VSP-APG which will drop the so called “specially crafted” HTTP/2 packet.

Reference Links

Download the full vulnerability report to learn more about this and other important vulnerabilities.

Jump to: List of CVE Vulnerabilities

About the Author
Satya Gupta is Virsec’s visionary founder, with over 25 years of expertise in embedded systems, network security and systems architecture. Satya has helped build and guide the company through key growth phases from initial funding (2015), developing core technology with key partners including Raytheon and Lockheed (2016-2018), to launching an enterprise class, GA product (2019). Prior to this, Satya built a highly profitable software design and consulting business targeting data networking, application security and industrial automation projects. He was also Director of Firmware Engineering at Narad Networks and Managing Director and Chief Engineer at Eastern Telecom and Tech Ltd. Satya has more than 40 patents in complex firmware architecture with products deployed to hundreds of thousands of users. He holds a BS degree in Engineering from the Indian Institute of Technology in Kanpur and additional degrees from the University of Massachusetts at Lowell.