CVE-2020-13935
📋 TL;DR
This vulnerability in Apache Tomcat allows attackers to cause denial of service by sending WebSocket frames with invalid payload lengths, which triggers an infinite loop. It affects Tomcat versions 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56, and 7.0.27 to 7.0.104. Systems using WebSocket functionality in these Tomcat versions are vulnerable.
💻 Affected Systems
- Apache Tomcat
📦 What is this software?
Agile Engineering Data Management by Oracle
Agile Plm by Oracle
Agile Plm by Oracle
Agile Plm by Oracle
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
Communications Instant Messaging Server by Oracle
View all CVEs affecting Communications Instant Messaging Server →
Leap by Opensuse
Leap by Opensuse
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service causing Tomcat to become unresponsive, requiring restart and potentially affecting all hosted applications.
Likely Case
Service disruption and resource exhaustion leading to degraded performance or temporary unavailability.
If Mitigated
Minimal impact if WebSocket functionality is disabled or proper rate limiting is in place.
🎯 Exploit Status
Exploitation requires sending specially crafted WebSocket frames but is straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Tomcat 10.0.0-M7, 9.0.37, 8.5.57, 7.0.105
Vendor Advisory: https://lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b85752651%40%3Cannounce.tomcat.apache.org%3E
Restart Required: Yes
Instructions:
1. Download patched Tomcat version from Apache website. 2. Stop Tomcat service. 3. Backup current installation. 4. Replace with patched version. 5. Restart Tomcat service.
🔧 Temporary Workarounds
Disable WebSocket Support
allIf WebSocket functionality is not required, disable it to prevent exploitation.
Modify server.xml to remove WebSocket connectors and related configurations
Implement Rate Limiting
allConfigure network devices or WAF to limit WebSocket connections and frame rates.
Configure rate limiting rules for WebSocket traffic on firewall/WAF
🧯 If You Can't Patch
- Implement network segmentation to restrict access to Tomcat instances
- Deploy Web Application Firewall (WAF) with WebSocket protection rules
🔍 How to Verify
Check if Vulnerable:
Check Tomcat version using version command or examine server logs for version information.Check Version:
catalina.sh version (Linux) or catalina.bat version (Windows)Verify Fix Applied:
Verify Tomcat version is 10.0.0-M7+, 9.0.37+, 8.5.57+, or 7.0.105+ and test WebSocket functionality.📡 Detection & Monitoring
Log Indicators:
- Multiple WebSocket connection errors
- Unusual WebSocket frame patterns
- Tomcat process consuming excessive CPU
Network Indicators:
- High volume of WebSocket traffic with abnormal payload sizes
- Multiple WebSocket handshake failures
SIEM Query:
source="tomcat" AND ("WebSocket" OR "ws:") AND (error OR exception OR "invalid payload")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332
- https://lists.apache.org/thread.html/r4e5d3c09f4dd2923191e972408b40fb8b42dbff0bc7904d44b651e50%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b85752651%40%3Cannounce.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html
- https://security.netapp.com/advisory/ntap-20200724-0003/
- https://usn.ubuntu.com/4448-1/
- https://usn.ubuntu.com/4596-1/
- https://www.debian.org/security/2020/dsa-4727
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html
- https://kc.mcafee.com/corporate/index?page=content&id=SB10332
- https://lists.apache.org/thread.html/r4e5d3c09f4dd2923191e972408b40fb8b42dbff0bc7904d44b651e50%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b85752651%40%3Cannounce.tomcat.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html
- https://security.netapp.com/advisory/ntap-20200724-0003/
- https://usn.ubuntu.com/4448-1/
- https://usn.ubuntu.com/4596-1/
- https://www.debian.org/security/2020/dsa-4727
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
