QID 352286
Date Published: 2021-05-19
QID 352286: Amazon Linux Security Update for tomcat7: AL2012-2020-326
Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2020-13935:
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
1857024:
CVE-2020-13935 tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS
CVE-2019-17563:
1785711:
CVE-2019-17563 tomcat: session fixation when using FORM authentication
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
CVEs related to QID 352286
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| AL2012-2020-326 | Amazon Linux Bare Metal |
docs.aws.amazon.com/AWSEC2/latest/UserGuide/install-updates.html |