How to Mitigate the Apache Tomcat HTTP/2 DoS Vulnerability in Spring Cloud/Boot
This guide lists the Apache Tomcat versions vulnerable to CVE-2020-11996, shows which Spring Cloud and Spring Boot releases are affected, and provides step‑by‑step upgrade instructions to secure your applications against the HTTP/2 denial‑of‑service attack.
On 2020‑06‑25 the Apache security team announced a high‑severity HTTP/2 denial‑of‑service vulnerability (CVE‑2020‑11996) in Apache Tomcat. A crafted HTTP/2 request sequence can drive CPU usage to 100 % within seconds, making the server unresponsive when enough concurrent connections are present.
Affected Tomcat releases
10.0.0‑M1 ~ 10.0.0‑M5
9.0.0.M1 ~ 9.0.35
8.5.0 ~ 8.5.55
Fixed Tomcat releases
10.0.0‑M6 and later
9.0.36 and later
8.5.56 and later
Impact on Spring Cloud / Spring Boot
Spring Cloud and Spring Boot bundles embed the vulnerable Tomcat libraries. Affected combinations include:
Spring Cloud Edgware.RELEASE ‑ Edgware.SR6 with Spring Boot 1.5.0.RELEASE ‑ 1.5.22.RELEASE Spring Cloud Finchley.RELEASE ‑ Finchley.SR4 with Spring Boot 2.0.0.RELEASE ‑ 2.0.9.RELEASE Spring Cloud Greenwich.RELEASE ‑ Greenwich.SR6 with Spring Boot 2.1.0.RELEASE ‑ 2.1.14.RELEASE (fixed in 2.1.15.RELEASE)
Spring Cloud Hoxton.RELEASE ‑ Hoxton.SR6 with Spring Boot 2.2.0.RELEASE ‑ 2.2.7.RELEASE (fixed in 2.2.8.RELEASE)
Spring Boot 2.3.0.RELEASE (fixed in 2.3.1.RELEASE)
Remediation options
Upgrade to a Spring Boot version that bundles a safe Tomcat.
Manually override the embedded Tomcat version in the Maven/Gradle build.
Manual Tomcat upgrade examples (Maven)
Spring Cloud Edgware / Spring Boot 1.5.x – Boot cannot be upgraded alone:
<properties>
<tomcat-embed.version>8.5.56</tomcat-embed.version>
</properties>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-core</artifactId>
<version>${tomcat-embed.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-el</artifactId>
<version>${tomcat-embed.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat.embed</groupId>
<artifactId>tomcat-embed-websocket</artifactId>
<version>${tomcat-embed.version}</version>
</dependency>
<dependency>
<groupId>org.apache.tomcat</groupId>
<artifactId>tomcat-annotations-api</artifactId>
<version>${tomcat-embed.version}</version>
</dependency>
</dependencies>
</dependencyManagement>Spring Cloud Finchley / Spring Boot 2.0.x – same approach, set tomcat-embed.version to 8.5.56.
Spring Cloud Greenwich / Spring Boot 2.1.x – either upgrade Boot to 2.1.15.RELEASE (includes Tomcat 9.0.36) or manually set:
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.1.15.RELEASE</version>
</parent>
<properties>
<tomcat-embed.version>9.0.36</tomcat-embed.version>
</properties>
... (dependencyManagement as above) ...Spring Cloud Hoxton / Spring Boot 2.2.x – upgrade Boot to 2.2.8.RELEASE or set tomcat-embed.version to 9.0.36 using the same dependencyManagement block.
Spring Boot 2.3.x – upgrade to 2.3.1.RELEASE (bundles Tomcat 9.0.36) or manually set tomcat-embed.version to 9.0.36 as shown above.
Reference
Apache security announcement: http://mail-archives.apache.org/mod_mbox/www-announce/202006.mbox/%[email protected]%3E
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Tencent Cloud Middleware
Official account of Tencent Cloud Middleware. Focuses on microservices, messaging middleware and other cloud‑native technology trends, publishing product updates, case studies, and technical insights. Regularly hosts tech salons to share effective solutions.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.