Solved: Re: CSPC Server - TomCat vulnerability

frank.miyagi · ‎08-11-2020

Hello team, I was informed by our security team that the CSPC server hosted in our internal network has a vulnerability: - Apache Tomcat WebSocket Denial of Service Vulnerability We are using the CSCP version 2.8.1.8. How I can fix this vulnerability?

Justin Sprake · ‎08-13-2020

I've just confirmed that there are a number of discussions already in progress about this and other related CVEs for this Tomcat concern. I'll be able to follow up once some specifics are made available.

View solution in original post

Justin Sprake · ‎08-18-2020

This CVE will be addressed in the next release/patch for CSPC.

View solution in original post

Justin Sprake · ‎08-12-2020

Hello,

I understand that there have been a couple of Apache/Tomcat vulnerabilities published since March of this year, if you can provide the specific CVEs you are concerned about I can investigate which CSPC-related enhancements and other FNs that are applicable for external tracking.

If there are any workarounds available they should be contained within the details of the FN and defect. Otherwise, future patches and releases of CSPC software will likely come with the necessary fixes.

frank.miyagi · ‎08-12-2020

Hello Justin,

according our security team the CSV is this:

WebSocket DoS CVE-2020-13935

The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

thanks,

Frank

Justin Sprake · ‎08-13-2020

I've just confirmed that there are a number of discussions already in progress about this and other related CVEs for this Tomcat concern. I'll be able to follow up once some specifics are made available.

Justin Sprake · ‎08-18-2020

This CVE will be addressed in the next release/patch for CSPC.