December 5, 2020

Researcher publishes PoC for CVE-2020-13935 Apache Tomcat WebSocket DoS Vulnerability

1 min read
Recently, the Apache Tomcat WebSocket DoS vulnerability (CVE-2020-13935) PoC has been made public. Apache officially disclosed the vulnerability on July 14, 2020. The vulnerability exploitation tool has been made public. To prevent your system from being affected, we recommend that you conduct a security self-inspection in a timely manner. If your Apache Tomcat server is affected, please update and repair it in time to avoid intrusion by external attackers.
Apache Tomcat 9

Vulnerability Detail

The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

Versions Affected:

Apache Tomcat 10.0.0-M1 to 10.0.0-M6
Apache Tomcat 9.0.0.M1 to 9.0.36
Apache Tomcat 8.5.0 to 8.5.56
Apache Tomcat 7.0.27 to 7.0.104

Mitigation:

– Upgrade to Apache Tomcat 10.0.0-M7 or later
– Upgrade to Apache Tomcat 9.0.37 or later
– Upgrade to Apache Tomcat 8.5.57 or later