[ https://issues.apache.org/jira/browse/OFBIZ-11848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17487485#comment-17487485 ]
Michael Brohl commented on OFBIZ-11848: --------------------------------------- To answer your question: if I remember correctly, adding allowedRequestAttributesPattern = ".*" was a solution to a connection problem we faced in a project after the upgrade. I found several recommendations, e.g. [1] to set this and it worked so I went with this solution. I have not checked if the list of allowed patterns could have been reduced though. [1] https://stackoverflow.com/questions/63505670/apache-cant-connect-to-new-tomcat-9-ajp/63928276#63928276 > Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) > ----------------------------------------------------- > > Key: OFBIZ-11848 > URL: https://issues.apache.org/jira/browse/OFBIZ-11848 > Project: OFBiz > Issue Type: Sub-task > Components: framework > Affects Versions: 17.12.03, Trunk, 18.12.01 > Reporter: Michael Brohl > Assignee: Michael Brohl > Priority: Major > Fix For: Release Branch 17.12, 18.12.01 > > > CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service > Severity: Important > Vendor: The Apache Software Foundation > Versions Affected: > Apache Tomcat 10.0.0-M1 to 10.0.0-M5 > Apache Tomcat 9.0.0.M1 to 9.0.35 > Apache Tomcat 8.5.0 to 8.5.55 > Description: > A specially crafted sequence of HTTP/2 requests could trigger high CPU > usage for several seconds. If a sufficient number of such requests were > made on concurrent HTTP/2 connections, the server could become unresponsive. > Mitigation: > - Upgrade to Apache Tomcat 10.0.0-M6 or later > - Upgrade to Apache Tomcat 9.0.36 or later > - Upgrade to Apache Tomcat 8.5.56 or later > Credit: > This issue was reported publicly via the Apache Tomcat Users mailing > list without reference to the potential for DoS. The DoS risks were > identified by the Apache Tomcat Security Team. > References: > [1] http://tomcat.apache.org/security-10.html > [2] http://tomcat.apache.org/security-9.html > [3] http://tomcat.apache.org/security-8.html -- This message was sent by Atlassian Jira (v8.20.1#820001)