Service Notices

All Notices > Security Notices > The Exploit Code of Tomcat WebSocket DoS Vulnerability (CVE-2020-13935) Is Disclosed

The Exploit Code of Tomcat WebSocket DoS Vulnerability (CVE-2020-13935) Is Disclosed

Nov 13, 2020 GMT+08:00

I. Overview

External security researchers have recently disclosed the POC and details of the WebSocket DoS vulnerability (CVE-2020-13935), which was officially disclosed by Tomcat in July. This vulnerability's CVSS score is 7.5. This vulnerability appears in conjunction with WebSockets.

For more information about this vulnerability, visit the following websites:

https://blog.redteam-pentesting.de/2020/websocket-vulnerability-tomcat/

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

Apache Tomcat 10.0.0-M1 to 10.0.0-M6

Apache Tomcat 9.0.0.M1 to 9.0.36

Apache Tomcat 8.5.0 to 8.5.56

Apache Tomcat 7.0.27 to 7.0.104

Secure versions:

Apache Tomcat 10.0.0-M7 and later

Apache Tomcat 9.0.37 and later

Apache Tomcat 8.5.57 and later

IV. Vulnerability Handling

Upgrade to a secure version:

http://tomcat.apache.org/

Alternatively, take the following mitigation measures:

Disable WebSocket for unnecessary services.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.