CVE-2020-13934:Apache Tomcat HTTP/2 Upgrade Memory Leak Vulnerability

splash
Back

Description Preview

A vulnerability in Apache Tomcat versions 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36, and 8.5.1 to 8.5.56 allows attackers to cause a denial of service condition. When using h2c direct connections (HTTP/2 Clear Text protocol), the HTTP/1.1 processor is not properly released after upgrading to HTTP/2. This resource leak can lead to memory exhaustion and eventually trigger an OutOfMemoryException if a sufficient number of such requests are made to the server.

Overview

This vulnerability (CVE-2020-13934) affects the HTTP/2 protocol implementation in Apache Tomcat. The issue occurs specifically during h2c protocol upgrades, where the application fails to properly release HTTP/1.1 processor resources after upgrading the connection to HTTP/2. Each upgrade request that isn't properly handled causes memory resources to be retained unnecessarily. Over time, as these unreleased resources accumulate, the server can experience memory exhaustion, resulting in an OutOfMemoryException and denial of service.

The vulnerability combines two Common Weakness Enumeration (CWE) types:

  1. CWE-476: NULL Pointer Dereference - The application attempts to access memory through a null pointer
  2. CWE-401: Missing Release of Memory after Effective Lifetime - The application fails to release memory after it has served its purpose, leading to a memory leak

An attacker can exploit this vulnerability by repeatedly sending h2c upgrade requests to the affected Tomcat server, gradually consuming its memory resources until the server becomes unresponsive.

Remediation

To address this vulnerability, administrators should take the following actions:

  1. Update Apache Tomcat to a patched version:

    • For Tomcat 10.x: Update to version 10.0.0-M7 or later
    • For Tomcat 9.x: Update to version 9.0.37 or later
    • For Tomcat 8.5.x: Update to version 8.5.57 or later

  2. If immediate updating is not possible, consider one of these workarounds:

    • Disable HTTP/2 support temporarily by removing the HTTP/2 protocol from the connector configuration
    • Place a reverse proxy in front of Tomcat that doesn't support HTTP/2 protocol upgrades
    • Implement rate limiting for connection requests to mitigate potential denial of service attacks

  3. Monitor server memory usage closely for any signs of memory leaks or unusual resource consumption patterns

  4. After applying patches, restart the Tomcat service to ensure the changes take effect

References

  1. Apache Tomcat Security Announcement: https://lists.apache.org/thread.html/r61f411cf82488d6ec213063fc15feeeb88e31b0ca9c29652ee4f962e%40%3Cannounce.tomcat.apache.org%3E
  2. Apache Tomcat Bug Report: https://lists.apache.org/thread.html/ra072b1f786e7d139e86f1d1145572e0ff71cef38a96d9c6f5362aac8%40%3Cdev.tomcat.apache.org%3E
  3. Debian Security Advisory: https://www.debian.org/security/2020/dsa-4727
  4. Ubuntu Security Notice: https://usn.ubuntu.com/4596-1/
  5. NetApp Security Advisory: https://security.netapp.com/advisory/ntap-20200724-0003/
  6. Oracle Critical Patch Updates:
    • https://www.oracle.com/security-alerts/cpuoct2020.html
    • https://www.oracle.com/security-alerts/cpujan2021.html
    • https://www.oracle.com/security-alerts/cpuApr2021.html
    • https://www.oracle.com//security-alerts/cpujul2021.html
    • https://www.oracle.com/security-alerts/cpujan2022.html
  7. openSUSE Security Announcements:
    • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html
    • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Manufacturing
    Manufacturing
  2. Health Care & Social Assistance
    Health Care & Social Assistance
  3. Public Administration
    Public Administration
  4. Finance and Insurance
    Finance and Insurance
  5. Transportation & Warehousing
    Transportation & Warehousing
  6. Educational Services
    Educational Services
  7. Utilities
    Utilities
  8. Retail Trade
    Retail Trade
  9. Professional, Scientific, & Technical Services
    Professional, Scientific, & Technical Services
  10. Other Services (except Public Administration)
    Other Services (except Public Administration)
  11. Management of Companies & Enterprises
    Management of Companies & Enterprises
  12. Arts, Entertainment & Recreation
    Arts, Entertainment & Recreation
  13. Information
    Information
  14. Accommodation & Food Services
    Accommodation & Food Services
  15. Agriculture, Forestry Fishing & Hunting
    Agriculture, Forestry Fishing & Hunting
  16. Mining
    Mining
  17. Wholesale Trade
    Wholesale Trade
  18. Administrative, Support, Waste Management & Remediation Services
    Administrative, Support, Waste Management & Remediation Services
  19. Construction
    Construction
  20. Real Estate Rental & Leasing
    Real Estate Rental & Leasing

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background
Armis Vulnerability Intelligence Database