1

As per recent logged vulnerability CVE-2020-13943 with tomcat. It says that:

If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.

In tomcat I understand what is connection and what is threads. Which is maintained with maxThreads and maxConnections property. And how it is impacted by BIO/NIO configurations.

But here what does this maximum number of concurrent streams for a connection means? What is this concurrent streams for a connections? And how this can be managed?

Gaurav Jeswani
  • 4,410
  • 6
  • 26
  • 47

1 Answers1

4

Streams are part of the HTTP/2 protocol. Each stream represents a single request. Multiple streams are sent over the same network connection. The protocol includes a mechanism for controlling the maximum number of concurrently active streams. This particular vulnerability occurs when the client starts more than the agreed number of concurrent streams. This should never happen for a specification compliant client.

You can set the maximum number of concurrent streams Tomcat will allow a client to send via the maxConcurrentStreams attribute of the HTTP2 protocol element. This should have no impact on this vulnerability as the client should always honour whatever value is set.

Community
  • 1
  • 1
Mark Thomas
  • 16,339
  • 1
  • 39
  • 60
  • Thanks for your response. One add on question, What I can understand is that if server is set for HTTP/1.x protocol for some website this vulnerability won't be at all considered. Is my understanding correct? – Gaurav Jeswani Oct 16 '20 at 11:15
  • 2
    Correct. This issue only affects HTTP/2. – Mark Thomas Oct 16 '20 at 11:51