The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Tomcat: overload via WebSocket

Synthesis of the vulnerability 

An attacker can trigger an overload via WebSocket of Apache Tomcat, in order to trigger a denial of service.
Impacted products: Tomcat, Debian, Avamar, HP-UX, QRadar SIEM, ePO, openSUSE Leap, Oracle DB, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this bulletin: 2/4.
Creation date: 14/07/2020.
Références of this threat: 6344075, bulletinjul2020, CERTFR-2020-AVI-626, cpuoct2020, CVE-2020-13935, DLA-2286-1, DSA-2020-211, DSA-4627-1, HPESBUX04015, openSUSE-SU-2020:1102-1, openSUSE-SU-2020:1111-1, RHSA-2020:3382-01, RHSA-2020:3383-01, RHSA-2020:4004-01, SB10332, SUSE-SU-2020:2037-1, SUSE-SU-2020:2045-1, SUSE-SU-2020:2046-1, SUSE-SU-2020:2047-1, SUSE-SU-2020:2611-1, USN-4448-1, USN-4596-1, VIGILANCE-VUL-32793.

Description of the vulnerability 

An attacker can trigger an overload via WebSocket of Apache Tomcat, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity alert impacts software or systems such as Tomcat, Debian, Avamar, HP-UX, QRadar SIEM, ePO, openSUSE Leap, Oracle DB, Solaris, RHEL, JBoss EAP by Red Hat, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this weakness is medium.

The trust level is of type confirmed by the editor, with an origin of intranet client.

An attacker with a expert ability can exploit this security weakness.

Solutions for this threat 

Apache Tomcat: version 9.0.37.
The version 9.0.37 is fixed:
  http://tomcat.apache.org/whichversion.html

Apache Tomcat: version 8.5.57.
The version 8.5.57 is fixed:
  http://tomcat.apache.org/whichversion.html

Apache Tomcat: version 7.0.105.
The version 7.0.105 is fixed:
  http://tomcat.apache.org/download-70.cgi

Debian 10: new tomcat9 packages.
New packages are available:
  Debian 10: tomcat9 9.0.31-1~deb10u2

Debian 9: new tomcat8 packages.
New packages are available:
  Debian 9: tomcat8 8.5.54-0+deb9u3

Dell EMC Avamar: solution for Multiple Components.
The solution is indicated in information sources.

HP-UX Tomcat: version 7.0.104.01.
The version 7.0.104.01 is fixed:
  https://myenterpriselicense.hpe.com/cwp-ui/free-software/HPUXWSATW509

IBM QRadar SIEM: patch for Components.
A patch is indicated in information sources.

McAfee ePolicy Orchestrator: versions 5.9.1 and 5.10.0 Update 9.
Versions 5.9.1 and 5.10.0 Update 9 are fixed:
  http://www.mcafee.com/us/downloads/downloads.aspx

openSUSE Leap 15.1: new tomcat packages.
New packages are available:
  openSUSE Leap 15.1: tomcat 9.0.36-lp151.3.27.1

openSUSE Leap 15.2: new tomcat packages.
New packages are available:
  openSUSE Leap 15.2: tomcat 9.0.36-lp152.2.4.1

Oracle Database: CPU of October 2020.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2694898.1

Oracle Solaris: patch for third party software of July 2020 v3.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Red Hat JBoss EAP: patch for Tomcat WebSocket.
A patch is indicated in information sources.

RHEL 7.8: new tomcat packages.
New packages are available:
  RHEL 7.0-7.8: tomcat 7.0.76-15.el7

SUSE LE 12 SP2-3: new tomcat packages.
New packages are available:
  SUSE LE 12 SP2: tomcat 8.0.53-29.37.1
  SUSE LE 12 SP3: tomcat 8.0.53-29.37.1

SUSE LE 12 SP4-5: new tomcat packages.
New packages are available:
  SUSE LE 12 SP4: tomcat 9.0.36-3.45.1
  SUSE LE 12 SP5: tomcat 9.0.36-3.45.1

SUSE LE 15 RTM-SP2: new tomcat packages.
New packages are available:
  SUSE LE 15 RTM: tomcat 9.0.36-3.65.2
  SUSE LE 15 SP1: tomcat 9.0.36-4.41.2
  SUSE LE 15 SP2: tomcat 9.0.36-3.6.1

Ubuntu 16.04: new tomcat8 packages.
New packages are available:
  Ubuntu 16.04 LTS: tomcat8 8.0.32-1ubuntu1.13

Ubuntu 20.04: new tomcat9 packages.
New packages are available:
  Ubuntu 20.04 LTS: tomcat9 9.0.31-1ubuntu0.1
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a cybersecurity alert. The Vigil@nce vulnerability database contains several thousand vulnerabilities.