h3. Issue Summary
This vulnerability uses “(a) specially crafted sequence of HTTP/2 requests” to “trigger high CPU usage for several seconds.” A large number of these HTTP/2 requests could be used to make an application unresponsive.
h3. Versions Affected:
- Apache Tomcat 10.0.0-M1 to 10.0.0-M5
- Apache Tomcat 9.0.0.M1 to 9.0.35
- Apache Tomcat 8.5.0 to 8.5.55
h3. Versions affected:
- Apache Tomcat 10.0.0-M6 or later
- Apache Tomcat 9.0.36 or later
- Apache Tomcat 8.5.56 or later
h3. Notes
- By default Confluence is configured to use an HTTP/1.1 connector and would not be vulnerable to this CVE
h3. Mitigation
- No workaround is needed to mitigate this vulnerability.
- If your organization determines that you cannot use a version of Tomcat that is affected by CVE-2020-11996 you can manually update the version of Tomcat used by Confluence to an unaffected version (9.0.37) as described in [How to Upgrade The Tomcat Container for Confluence|https://confluence.atlassian.com/confkb/how-to-upgrade-the-tomcat-container-for-confluence-336757062.html]
** Note: Manually upgrading the version of Tomcat used by Confluence is not supported. If any issues arise from making this change, Atlassian Support would first recommend going back to a supported version of Tomcat.