In Tomcat vulnerability CVE-2020-13943 Detail, what is concurrent streams for a connection?

huangapple go评论79阅读模式
英文:

In Tomcat vulnerability CVE-2020-13943 Detail, what is concurrent streams for a connection?

问题

根据最近记录的漏洞 CVE-2020-13943,涉及到 Tomcat。它指出:

> 如果连接到 Apache Tomcat 10.0.0-M1 到 10.0.0-M7、9.0.0.M1 到 9.0.37 或 8.5.0 到 8.5.57 的 HTTP/2 客户端超过了连接的协商最大并发流量(违反了 HTTP/2 协议),那么随后在该连接上进行的请求可能包含来自先前请求的 HTTP 头,包括 HTTP/2 伪头,而不是预期的头。这可能导致用户看到与预期不符的资源响应。

在 Tomcat 中,我了解连接和线程的含义。这是通过 maxThreadsmaxConnections 属性进行管理的。而且还受到 BIO/NIO 配置 的影响。

但是在这里,“连接的最大并发流量” 是什么意思呢?这里的并发流量是指什么?又如何进行管理呢?

英文:

As per recent logged vulnerability CVE-2020-13943 with tomcat. It says that:

> If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to
> 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of
> the HTTP/2 protocol), it was possible that a subsequent request made
> on that connection could contain HTTP headers - including HTTP/2
> pseudo headers - from a previous request rather than the intended
> headers. This could lead to users seeing responses for unexpected
> resources.

In tomcat I understand what is connection and what is threads. Which is maintained with maxThreads and maxConnections property. And how it is impacted by BIO/NIO configurations.

But here what does this maximum number of concurrent streams for a connection means? What is this concurrent streams for a connections? And how this can be managed?

答案1

得分: 4

流是HTTP/2协议的一部分。每个流代表一个单独的请求。多个流可以通过同一网络连接发送。该协议包括一种机制,用于控制并发活动流的最大数量。当客户端启动的并发流超过约定数量时,会出现此特定漏洞。对于符合规范的客户端,这种情况永远不应发生。

您可以通过HTTP2协议元素maxConcurrentStreams属性设置Tomcat允许客户端发送的最大并发流数。这对于此漏洞应该没有影响,因为客户端应始终遵守设置的任何值。

英文:

Streams are part of the HTTP/2 protocol. Each stream represents a single request. Multiple streams are sent over the same network connection. The protocol includes a mechanism for controlling the maximum number of concurrently active streams. This particular vulnerability occurs when the client starts more than the agreed number of concurrent streams. This should never happen for a specification compliant client.

You can set the maximum number of concurrent streams Tomcat will allow a client to send via the maxConcurrentStreams attribute of the HTTP2 protocol element. This should have no impact on this vulnerability as the client should always honour whatever value is set.

huangapple
  • 本文由 发表于 2020年10月14日 12:53:34
  • 转载请务必保留本文链接:https://go.coder-hub.com/64346807.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定