Service Notices
The Exploit Code of Tomcat WebSocket DoS Vulnerability (CVE-2020-13935) Is Disclosed
Nov 13, 2020 GMT+08:00
I. Overview
External security researchers have recently disclosed the POC and details of the WebSocket DoS vulnerability (CVE-2020-13935), which was officially disclosed by Tomcat in July. This vulnerability's CVSS score is 7.5. This vulnerability appears in conjunction with WebSockets.
For more information about this vulnerability, visit the following websites:
https://blog.redteam-pentesting.de/2020/websocket-vulnerability-tomcat/
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
Apache Tomcat 10.0.0-M1 to 10.0.0-M6
Apache Tomcat 9.0.0.M1 to 9.0.36
Apache Tomcat 8.5.0 to 8.5.56
Apache Tomcat 7.0.27 to 7.0.104
Secure versions:
Apache Tomcat 10.0.0-M7 and later
Apache Tomcat 9.0.37 and later
Apache Tomcat 8.5.57 and later
IV. Vulnerability Handling
Upgrade to a secure version:
Alternatively, take the following mitigation measures:
Disable WebSocket for unnecessary services.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.