Security update for tomcat SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2020:2037-1 Final 1 1 2020-07-24T11:33:24Z current 2020-07-24T11:33:24Z 2020-07-24T11:33:24Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tomcat This update for tomcat fixes the following issues: - Fixed CVEs: * CVE-2020-13934 (bsc#1174121) * CVE-2020-13935 (bsc#1174117) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2020-2037,SUSE-OpenStack-Cloud-9-2020-2037,SUSE-OpenStack-Cloud-Crowbar-9-2020-2037,SUSE-SLE-SAP-12-SP4-2020-2037,SUSE-SLE-SERVER-12-SP4-LTSS-2020-2037,SUSE-SLE-SERVER-12-SP5-2020-2037 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2020/suse-su-20202037-1/ Link for SUSE-SU-2020:2037-1 https://lists.suse.com/pipermail/sle-security-updates/2020-July/007179.html E-Mail link for SUSE-SU-2020:2037-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1174117 SUSE Bug 1174117 https://bugzilla.suse.com/1174121 SUSE Bug 1174121 https://www.suse.com/security/cve/CVE-2020-13934/ SUSE CVE CVE-2020-13934 page https://www.suse.com/security/cve/CVE-2020-13935/ SUSE CVE CVE-2020-13935 page SUSE Linux Enterprise Server 12 SP4-LTSS SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP4 SUSE Linux Enterprise Server for SAP Applications 12 SP5 SUSE OpenStack Cloud 9 SUSE OpenStack Cloud Crowbar 9 tomcat-9.0.36-3.45.1 tomcat-admin-webapps-9.0.36-3.45.1 tomcat-docs-webapp-9.0.36-3.45.1 tomcat-el-3_0-api-9.0.36-3.45.1 tomcat-embed-9.0.36-3.45.1 tomcat-javadoc-9.0.36-3.45.1 tomcat-jsp-2_3-api-9.0.36-3.45.1 tomcat-jsvc-9.0.36-3.45.1 tomcat-lib-9.0.36-3.45.1 tomcat-servlet-4_0-api-9.0.36-3.45.1 tomcat-webapps-9.0.36-3.45.1 tomcat-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS tomcat-admin-webapps-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS tomcat-docs-webapp-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS tomcat-el-3_0-api-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS tomcat-javadoc-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS tomcat-jsp-2_3-api-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS tomcat-lib-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS tomcat-servlet-4_0-api-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS tomcat-webapps-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server 12 SP4-LTSS tomcat-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server 12 SP5 tomcat-admin-webapps-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server 12 SP5 tomcat-docs-webapp-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server 12 SP5 tomcat-el-3_0-api-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server 12 SP5 tomcat-javadoc-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server 12 SP5 tomcat-jsp-2_3-api-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server 12 SP5 tomcat-lib-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server 12 SP5 tomcat-servlet-4_0-api-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server 12 SP5 tomcat-webapps-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server 12 SP5 tomcat-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 tomcat-admin-webapps-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 tomcat-docs-webapp-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 tomcat-el-3_0-api-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 tomcat-javadoc-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 tomcat-jsp-2_3-api-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 tomcat-lib-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 tomcat-servlet-4_0-api-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 tomcat-webapps-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP4 tomcat-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 tomcat-admin-webapps-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 tomcat-docs-webapp-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 tomcat-el-3_0-api-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 tomcat-javadoc-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 tomcat-jsp-2_3-api-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 tomcat-lib-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 tomcat-servlet-4_0-api-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 tomcat-webapps-9.0.36-3.45.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP5 tomcat-9.0.36-3.45.1 as a component of SUSE OpenStack Cloud 9 tomcat-admin-webapps-9.0.36-3.45.1 as a component of SUSE OpenStack Cloud 9 tomcat-docs-webapp-9.0.36-3.45.1 as a component of SUSE OpenStack Cloud 9 tomcat-el-3_0-api-9.0.36-3.45.1 as a component of SUSE OpenStack Cloud 9 tomcat-javadoc-9.0.36-3.45.1 as a component of SUSE OpenStack Cloud 9 tomcat-jsp-2_3-api-9.0.36-3.45.1 as a component of SUSE OpenStack Cloud 9 tomcat-lib-9.0.36-3.45.1 as a component of SUSE OpenStack Cloud 9 tomcat-servlet-4_0-api-9.0.36-3.45.1 as a component of SUSE OpenStack Cloud 9 tomcat-webapps-9.0.36-3.45.1 as a component of SUSE OpenStack Cloud 9 tomcat-9.0.36-3.45.1 as a component of SUSE OpenStack Cloud Crowbar 9 tomcat-admin-webapps-9.0.36-3.45.1 as a component of SUSE OpenStack Cloud Crowbar 9 tomcat-docs-webapp-9.0.36-3.45.1 as a component of SUSE OpenStack Cloud Crowbar 9 tomcat-el-3_0-api-9.0.36-3.45.1 as a component of SUSE OpenStack Cloud Crowbar 9 tomcat-javadoc-9.0.36-3.45.1 as a component of SUSE OpenStack Cloud Crowbar 9 tomcat-jsp-2_3-api-9.0.36-3.45.1 as a component of SUSE OpenStack Cloud Crowbar 9 tomcat-lib-9.0.36-3.45.1 as a component of SUSE OpenStack Cloud Crowbar 9 tomcat-servlet-4_0-api-9.0.36-3.45.1 as a component of SUSE OpenStack Cloud Crowbar 9 tomcat-webapps-9.0.36-3.45.1 as a component of SUSE OpenStack Cloud Crowbar 9 An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. CVE-2020-13934 SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-admin-webapps-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-docs-webapp-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-el-3_0-api-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-javadoc-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-jsp-2_3-api-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-lib-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-servlet-4_0-api-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-webapps-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP5:tomcat-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP5:tomcat-admin-webapps-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP5:tomcat-docs-webapp-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP5:tomcat-el-3_0-api-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP5:tomcat-javadoc-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP5:tomcat-jsp-2_3-api-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP5:tomcat-lib-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP5:tomcat-servlet-4_0-api-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP5:tomcat-webapps-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-admin-webapps-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-docs-webapp-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-el-3_0-api-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-javadoc-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-jsp-2_3-api-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-lib-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-servlet-4_0-api-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-webapps-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-admin-webapps-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-docs-webapp-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-el-3_0-api-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-javadoc-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-jsp-2_3-api-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-lib-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-servlet-4_0-api-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-webapps-9.0.36-3.45.1 SUSE OpenStack Cloud 9:tomcat-9.0.36-3.45.1 SUSE OpenStack Cloud 9:tomcat-admin-webapps-9.0.36-3.45.1 SUSE OpenStack Cloud 9:tomcat-docs-webapp-9.0.36-3.45.1 SUSE OpenStack Cloud 9:tomcat-el-3_0-api-9.0.36-3.45.1 SUSE OpenStack Cloud 9:tomcat-javadoc-9.0.36-3.45.1 SUSE OpenStack Cloud 9:tomcat-jsp-2_3-api-9.0.36-3.45.1 SUSE OpenStack Cloud 9:tomcat-lib-9.0.36-3.45.1 SUSE OpenStack Cloud 9:tomcat-servlet-4_0-api-9.0.36-3.45.1 SUSE OpenStack Cloud 9:tomcat-webapps-9.0.36-3.45.1 SUSE OpenStack Cloud Crowbar 9:tomcat-9.0.36-3.45.1 SUSE OpenStack Cloud Crowbar 9:tomcat-admin-webapps-9.0.36-3.45.1 SUSE OpenStack Cloud Crowbar 9:tomcat-docs-webapp-9.0.36-3.45.1 SUSE OpenStack Cloud Crowbar 9:tomcat-el-3_0-api-9.0.36-3.45.1 SUSE OpenStack Cloud Crowbar 9:tomcat-javadoc-9.0.36-3.45.1 SUSE OpenStack Cloud Crowbar 9:tomcat-jsp-2_3-api-9.0.36-3.45.1 SUSE OpenStack Cloud Crowbar 9:tomcat-lib-9.0.36-3.45.1 SUSE OpenStack Cloud Crowbar 9:tomcat-servlet-4_0-api-9.0.36-3.45.1 SUSE OpenStack Cloud Crowbar 9:tomcat-webapps-9.0.36-3.45.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20202037-1/ https://www.suse.com/security/cve/CVE-2020-13934.html CVE-2020-13934 https://bugzilla.suse.com/1174121 SUSE Bug 1174121 The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. CVE-2020-13935 SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-admin-webapps-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-docs-webapp-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-el-3_0-api-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-javadoc-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-jsp-2_3-api-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-lib-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-servlet-4_0-api-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-webapps-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP5:tomcat-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP5:tomcat-admin-webapps-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP5:tomcat-docs-webapp-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP5:tomcat-el-3_0-api-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP5:tomcat-javadoc-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP5:tomcat-jsp-2_3-api-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP5:tomcat-lib-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP5:tomcat-servlet-4_0-api-9.0.36-3.45.1 SUSE Linux Enterprise Server 12 SP5:tomcat-webapps-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-admin-webapps-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-docs-webapp-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-el-3_0-api-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-javadoc-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-jsp-2_3-api-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-lib-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-servlet-4_0-api-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4:tomcat-webapps-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-admin-webapps-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-docs-webapp-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-el-3_0-api-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-javadoc-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-jsp-2_3-api-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-lib-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-servlet-4_0-api-9.0.36-3.45.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5:tomcat-webapps-9.0.36-3.45.1 SUSE OpenStack Cloud 9:tomcat-9.0.36-3.45.1 SUSE OpenStack Cloud 9:tomcat-admin-webapps-9.0.36-3.45.1 SUSE OpenStack Cloud 9:tomcat-docs-webapp-9.0.36-3.45.1 SUSE OpenStack Cloud 9:tomcat-el-3_0-api-9.0.36-3.45.1 SUSE OpenStack Cloud 9:tomcat-javadoc-9.0.36-3.45.1 SUSE OpenStack Cloud 9:tomcat-jsp-2_3-api-9.0.36-3.45.1 SUSE OpenStack Cloud 9:tomcat-lib-9.0.36-3.45.1 SUSE OpenStack Cloud 9:tomcat-servlet-4_0-api-9.0.36-3.45.1 SUSE OpenStack Cloud 9:tomcat-webapps-9.0.36-3.45.1 SUSE OpenStack Cloud Crowbar 9:tomcat-9.0.36-3.45.1 SUSE OpenStack Cloud Crowbar 9:tomcat-admin-webapps-9.0.36-3.45.1 SUSE OpenStack Cloud Crowbar 9:tomcat-docs-webapp-9.0.36-3.45.1 SUSE OpenStack Cloud Crowbar 9:tomcat-el-3_0-api-9.0.36-3.45.1 SUSE OpenStack Cloud Crowbar 9:tomcat-javadoc-9.0.36-3.45.1 SUSE OpenStack Cloud Crowbar 9:tomcat-jsp-2_3-api-9.0.36-3.45.1 SUSE OpenStack Cloud Crowbar 9:tomcat-lib-9.0.36-3.45.1 SUSE OpenStack Cloud Crowbar 9:tomcat-servlet-4_0-api-9.0.36-3.45.1 SUSE OpenStack Cloud Crowbar 9:tomcat-webapps-9.0.36-3.45.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2020/suse-su-20202037-1/ https://www.suse.com/security/cve/CVE-2020-13935.html CVE-2020-13935 https://bugzilla.suse.com/1174117 SUSE Bug 1174117