Tomcat embedded in Nacos has serious issue with CVE-2020-11996 #3515
Comments
|
We upgrade the version of embedded Tomcat(Actually upgrade the version of Springboot ), it will be ok? @KomachiSion |
|
@zongtanghu I will solve it. |
|
It's yours. @corey89757 |
5 tasks
corey89757
added a commit
to corey89757/nacos
that referenced
this issue
Aug 10, 2020
…16.RELEASE, tomcat-embed-jasper version to 9.0.37 Change-Id: I021396ae0b75fc889f087c4a4c253549ad46b46f
5 tasks
KomachiSion
pushed a commit
that referenced
this issue
Aug 12, 2020
…ASE, tomcat-embed-jasper version to 9.0.37 (#3563) Change-Id: I021396ae0b75fc889f087c4a4c253549ad46b46f
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Recently Tomcat reported a serious bug CVE-2020-11996. A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
More info please refer to http://www.bqq8.com/index.php?id=2367
Both Nacos 1.2.1 and 1.3.1 are using tomcat 9.0.13 which is an issued version, so we need to find out a way to upgrade the tomcat version in Nacos (If Nacos CAN guide the clear and feasible steps) or wait for a higher Nacos includes the tomcat 9.0.36 with the CVE fix.
Describe the solution you'd like
Suggest Nacos Community to upgrade the Nacos at least with the Springboot 2.1.15.RELEASE(tomcat 9.0.36 included with the bug fix)
Describe alternatives you've considered
We are trying to upgrade the current embedded tomcat 9.0.13 in Nacos 1.2.1 but failed with imcompatible issues, and we are also worried about the unstable issue during later running even we upgrade successfully.
The text was updated successfully, but these errors were encountered: