Bug 1179602 - (CVE-2020-17527) VUL-0: CVE-2020-17527: tomcat6,tomcat: HTTP/2 request header mix-up
(CVE-2020-17527)
VUL-0: CVE-2020-17527: tomcat6,tomcat: HTTP/2 request header mix-up
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/272682/
CVSSv3.1:SUSE:CVE-2020-17527:7.5:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-12-04 12:31 UTC by Robert Frohl
Modified: 2021-01-27 16:47 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2020-12-04 12:31:42 UTC
rh#1904221

While investigating Bug 64830 it was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

Reference:
https://lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f3825f12c6d4e886ba00823b11e5@%3Cannounce.apache.org%3E

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1904221
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-17527
http://www.openwall.com/lists/oss-security/2020/12/03/3
http://seclists.org/oss-sec/2020/q4/181
https://access.redhat.com/security/cve/CVE-2020-17527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17527
https://lists.apache.org/thread.html/raa0e9ad388c1e6fd1e301b5e080f9439f64cb4178119a86a4801cc53@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f3825f12c6d4e886ba00823b11e5%40%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r8a227ac6a755a6406c1cc47dd48800e973d4cf13fe7fe68ac59c679c@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f3825f12c6d4e886ba00823b11e5@%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rd5babd13d7a350b369b2f647b4dd32ce678af42f9aba5389df1ae6ca@%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rce5ac9a40173651d540babce59f6f3825f12c6d4e886ba00823b11e5@%3Cannounce.apache.org%3E
Comment 1 Marcus Meissner 2020-12-14 07:42:59 UTC
via oss-sec 
CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 10.0.0-M1 to 10.0.0-M9
Apache Tomcat 9.0.0.M5 to 9.0.39
Apache Tomcat 8.5.1 to 8.5.59

Description:
While investigating Bug 64830 it was discovered that Apache Tomcat could
re-use an HTTP request header value from the previous stream received
on an HTTP/2 connection for the request associated with the subsequent
stream. While this would most likely lead to an error and the closure of
the HTTP/2 connection, it is possible that information could leak
between requests.

Mitigation:
- Upgrade to Apache Tomcat 10.0.0-M10 or later
- Upgrade to Apache Tomcat 9.0.40 or later
- Upgrade to Apache Tomcat 8.5.60 or later

Credit:
This issue was identified by the Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-10.html
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html
Comment 5 Abid Mehmood 2020-12-16 11:24:33 UTC
All MRs have been created. As the issue is only related to HTTP/2 so no patch required for 12-SP2 and 12-SP3.
Comment 7 Abid Mehmood 2021-01-05 11:11:41 UTC
All the MRs have been accepted, can we close ths now?
Comment 8 Marcus Meissner 2021-01-05 13:29:49 UTC
reassign to security-team (done)

we will close once everything is released.
Comment 9 Swamp Workflow Management 2021-01-05 20:15:40 UTC
SUSE-SU-2021:0031-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1179602
CVE References: CVE-2020-17527
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    tomcat-9.0.36-3.58.1
SUSE OpenStack Cloud 9 (src):    tomcat-9.0.36-3.58.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    tomcat-9.0.36-3.58.1
SUSE Linux Enterprise Server 12-SP5 (src):    tomcat-9.0.36-3.58.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    tomcat-9.0.36-3.58.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2021-01-07 14:18:37 UTC
SUSE-SU-2021:0040-1: An update that solves two vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1092163,1172562,1177582,1178396,1179602
CVE References: CVE-2020-13943,CVE-2020-17527
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    tomcat-9.0.36-3.74.1
SUSE Linux Enterprise Server 15-LTSS (src):    tomcat-9.0.36-3.74.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    tomcat-9.0.36-3.74.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    tomcat-9.0.36-3.74.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2021-01-07 14:19:38 UTC
SUSE-SU-2021:0041-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1179602
CVE References: CVE-2020-17527
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    tomcat-9.0.36-3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-01-07 14:20:39 UTC
SUSE-SU-2021:0042-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1179602
CVE References: CVE-2020-17527
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src):    tomcat-9.0.36-4.53.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2021-01-11 05:16:00 UTC
openSUSE-SU-2021:0043-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1179602
CVE References: CVE-2020-17527
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    tomcat-9.0.36-lp152.2.16.1
Comment 14 Swamp Workflow Management 2021-01-16 14:25:52 UTC
openSUSE-SU-2021:0081-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1179602
CVE References: CVE-2020-17527
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    tomcat-9.0.36-lp151.3.39.1
Comment 15 Alexandros Toptsoglou 2021-01-27 16:47:38 UTC
Done