Nexus Intelligence Insights:CVE-2020-13935 – Apache Tomcat Websocket – Denial of Service (DoS)

For July’s Nexus Intelligence Insight we take a deep dive into a Denial of Service (DoS) vulnerability impacting the popular Apache Tomcat Websocket component.

The vulnerability originates due to improper validation of the incoming payload length. Should an attacker be able to submit a payload of an invalid length, they can trigger an “infinite loop” within the component. Multiple such requests made by the attacker during a course of a session would cause a Denial of Service condition.

The original report made to the Apache team merely pointed out this “bug” without regard for its abuse and potential to cause DoS. “This issue was reported publicly via the Apache Tomcat Users mailing list without reference to the potential for DoS,” reads the advisory released by the project, further stating, “The DoS risks were identified by the Apache Tomcat Security Team.”

Name/Vulnerability Identifier: CVE-2020-13935
Type of Vulnerability: Denial of Service (DoS)

Sponsorships Available

Sponsorships Available

Sponsorships Available

Severity
CVSS 3.1 Score: 5.9 / Medium
CVSS 3.1 Metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Components Affected:
maven:
org.apache.tomcat:tomcat-websocket
[10.0.0-M1 , 10.0.0-M7)
[9.0.0.M1 , 9.0.37)
[8.5.0, 8.5.57)
org.apache.tomcat:tomcat7-websocket
( , 7.0.105)

For detecting other components containing the vulnerable Tomcat WebSocket classes and for detailed, most up to date vulnerability information, a free Nexus Vulnerability scan is recommended.

The original report of the bug made by the user “niuhailiang” can be traced back to June 28th, 2020. In the report, the user stated, “If all bits (7+64) of the payload length in one websocket frame are 1, the length will be resolved to a negative value which will cause an endless loop. The result is CPU usage is high and will not drop!”

In a screenshot posted along with the (Read more...)