Описание
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
Отчет
Red Hat OpenStack Platform's OpenDaylight will not be updated for this flaw because it was deprecated as of RHOSP14 and is only receiving security fixes for Important and Critical flaws. Apache Tomcat versions as shipped with Red Hat Enterprise Linux 6 and 7 are not affected by this flaw as it doesn't support HTTP/2 protocol. Red Hat Enterprise Linux 8's Identity Management is using an affected version of Tomcat bundled within PKI servlet engine, however HTTP/2 protocol is not supported by this component. pki-servlet-engine has been obsoleted by Tomcat in Red Hat Enterprise Linux 8.9 and later. Therefore no additional fixes would be made available for the servlet engine.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Decision Manager 7 | tomcat | Not affected | ||
| Red Hat Enterprise Linux 6 | tomcat6 | Not affected | ||
| Red Hat Enterprise Linux 7 | tomcat | Not affected | ||
| Red Hat Enterprise Linux 8 | pki-deps:10.6/pki-servlet-engine | Will not fix | ||
| Red Hat JBoss Data Grid 6 | jbossweb | Out of support scope | ||
| Red Hat JBoss Data Virtualization 6 | jbossweb | Out of support scope | ||
| Red Hat JBoss Enterprise Application Platform 6 | jbossweb | Out of support scope | ||
| Red Hat JBoss Fuse 6 | tomcat | Out of support scope | ||
| Red Hat JBoss Web Server 3 | tomcat | Not affected | ||
| Red Hat OpenStack Platform 10 (Newton) | opendaylight | Out of support scope |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat ...
EPSS
7.5 High
CVSS3