Upgrade Tomcat to version 9.0.37

h3. Issue Summary

• The current version of Tomcat 9.0.33 bundled with Confluence (at least up to Confluence version 7.6) is vulnerable to HTTP/2 Denial of Service CVE-2020-11996
  [https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_9.0.36]
  [http://mail-archives.us.apache.org/mod_mbox/www-announce/202006.mbox/<fd56bc1d-1219-605b-99c7-946bf7bd8ad4%40apache.org>]

This vulnerability uses “(a) specially crafted sequence of HTTP/2 requests” to “trigger high CPU usage for several seconds.” A large number of these HTTP/2 requests could be used to make an application unresponsive.

h3. Versions Affected:

• Apache Tomcat 10.0.0-M1 to 10.0.0-M5
• Apache Tomcat 9.0.0.M1 to 9.0.35
• Apache Tomcat 8.5.0 to 8.5.55

h3. Versions affected:

• Apache Tomcat 10.0.0-M6 or later
• Apache Tomcat 9.0.36 or later
• Apache Tomcat 8.5.56 or later

h3. Notes

• By default Confluence is configured to use an HTTP/1.1 connector and would not be vulnerable to this CVE

h3. Mitigation

• No workaround is needed to mitigate this vulnerability.
• If your organization determines that you cannot use a version of Tomcat that is affected by CVE-2020-11996 you can manually update the version of Tomcat used by Confluence to an unaffected version (9.0.37) as described in [How to Upgrade The Tomcat Container for Confluence|https://confluence.atlassian.com/confkb/how-to-upgrade-the-tomcat-container-for-confluence-336757062.html]
  ** Note: Manually upgrading the version of Tomcat used by Confluence is not supported. If any issues arise from making this change, Atlassian Support would first recommend going back to a supported version of Tomcat.