==========================================================================
Ubuntu Security Notice USN-4596-1
October 21, 2020
tomcat9 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
– Ubuntu 20.04 LTS
Summary:
Several security issues were fixed in Tomcat.
Software Description:
– tomcat9: Apache Tomcat 9 – Servlet and JSP engine
Details:
It was discovered that Tomcat did not properly manage HTTP/2 streams. An
attacker could possibly use this to cause Tomcat to consume resources,
resulting in a denial of service. (CVE-2020-11996)
It was discovered that Tomcat did not properly release the HTTP/1.1
processor after the upgrade to HTTP/2. An attacker could possibly use
this to generate an OutOfMemoryException, resulting in a denial of
service. (CVE-2020-13934)
It was discovered that Tomcat did not properly validate the payload
length in a WebSocket frame. An attacker could possibly use this to
trigger an infinite loop, resulting in a denial of service. (CVE-2020-13935)
It was discovered that Tomcat did not properly deserialize untrusted
data. An attacker could possibly use this issue to execute arbitrary
code. (CVE-2020-9484)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 20.04 LTS:
libtomcat9-embed-java 9.0.31-1ubuntu0.1
libtomcat9-java 9.0.31-1ubuntu0.1
tomcat9 9.0.31-1ubuntu0.1
tomcat9-common 9.0.31-1ubuntu0.1
In general, a standard system update will make all the necessary changes.
References:
https://usn.ubuntu.com/4596-1
CVE-2020-11996, CVE-2020-13934, CVE-2020-13935, CVE-2020-9484
Package Information:
https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.1
—–BEGIN PGP SIGNATURE—–
iQIzBAEBCgAdFiEE7MowLJorxPNkyBZZW+PTAFZKyRgFAl+QR6kACgkQW+PTAFZK
yRjHYxAAzA3ORFiMDM4di/JLtJVxpDeLWdaxSc5kfaW74lOJNRqj7vyO2Y0seafg
8mHzM6O1EY3mRvB5o7h8Z+MzeY+8i+x84kntckf8lpfqiVWCUExjFXu7bJa1n+JE
H5k+vt+0ee7xUP1hOfw7X+m0WgxT3NhGFR9gXR1a0JXsTqTvbH+XCVO0MsXpC/Ur
kGWfgWeaTPUfqjrsmfqxAkdvcSZggPfvtc+PyTbdipZ+B2RBfO4Zz5T+GuWfX1bZ
AYNUIJGzPC2S//aPt8dIU6LsNVKASIHbVtPPbXsybHMtnMeaUWrwWF10BqZ0jqyW
Xxe7MoDx/wIjFosYVvqywSQWg6wI71x8SziD6UmkH1oEYLEQ6+OHcfVzN+N3gTpq
/66gzvlRGMNwO2R+RPEGaBwSOSZLOYZx+s1Q6pWSeCUfaoAY15DLY6iIXRKau79S
SiSL6aLgaTKlPzg1w7nkYtfwaMGtpDnfYoV2TVx1tTwB61OmOHE0p0zLC6diHMG9
7YGYcXsz2vLbb5KBEwqg95pkawCl43AQhRGwYno/AY+QIgy8m+cWVLMF+stw1XME
7KVWMj1KoNHdwR+i1su310T1JxYAsW8SwZEC38hQ2GsL7ZrQ/AFNaHbc8QW6omsv
0J+r0SA/nnmJikRoKjpaktJtvlqgbvuPQ9cnYwzcwdv7sjtdc8g=
=9jtZ
—–END PGP SIGNATURE—–
—