Vulmon
Amazon Linux 2 Security Advisory: ALASTOMCAT8.5-2023-011
Advisory Release Date: 2023-08-21 20:58 Pacific
Advisory Updated Date: 2023-09-25 21:58 Pacific
Severity:
Medium
Issue Overview:
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. (CVE-2020-13943)
Affected Packages:
tomcat
Issue Correction:
Run yum update tomcat to update your system.
New Packages:
noarch:
tomcat-8.5.58-1.amzn2.noarch
tomcat-admin-webapps-8.5.58-1.amzn2.noarch
tomcat-docs-webapp-8.5.58-1.amzn2.noarch
tomcat-javadoc-8.5.58-1.amzn2.noarch
tomcat-jsvc-8.5.58-1.amzn2.noarch
tomcat-jsp-2.3-api-8.5.58-1.amzn2.noarch
tomcat-lib-8.5.58-1.amzn2.noarch
tomcat-servlet-3.1-api-8.5.58-1.amzn2.noarch
tomcat-el-3.0-api-8.5.58-1.amzn2.noarch
tomcat-webapps-8.5.58-1.amzn2.noarch
src:
tomcat-8.5.58-1.amzn2.src