SynopsisThe remote Apache Tomcat server is affected by a denial of service vulnerability.
DescriptionThe version of Tomcat installed on the remote host is prior to 9.0.36. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.36_security-9 advisory.
- A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. (CVE-2020-11996)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
SolutionUpgrade to Apache Tomcat version 9.0.36 or later.