Описание
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
A denial of service (DoS) vulnerability present in the Apache Tomcat package arises from an incomplete cleanup process. Specifically, WebSocket clients can perpetuate WebSocket connections without proper termination, thereby causing a sustained drain on system resources. This vulnerability facilitates the exploitation of Apache Tomcat servers, leading to a scenario where excessive resource consumption occurs due to the prolonged existence of these open WebSocket connections. As a consequence, the server's performance may degrade significantly, resulting in potential service disruption or unresponsiveness.
Отчет
This Denial of Service (DoS) vulnerability within the Apache Tomcat package represents an Important severity issue due to its potential to significantly impact system availability and performance. By allowing WebSocket clients to maintain open connections without proper cleanup, the vulnerability facilitates the sustained consumption of server resources. This exploitation results in increased CPU, memory, and network utilization, ultimately leading to server degradation or unresponsiveness. The inability to terminate these lingering connections efficiently exacerbates the severity of the issue, as it enables attackers to exploit limited resources over an extended period, amplifying the impact of the attack. Red Hat Certificate System 10.0 as well as Red Hat Enterprise Linux 8's Identity Management, are using a vulnerable version of Tomcat, bundled into the pki-servlet-engine component. However, there are no entry point for WebSockets, and thus it is not possible to trigger the flaw in a supported setup.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | tomcat6 | Out of support scope | ||
| Red Hat Enterprise Linux 7 | tomcat | Not affected | ||
| Red Hat Enterprise Linux 8 | pki-deps:10.6/pki-servlet-engine | Will not fix | ||
| Red Hat Enterprise Linux 9 | pki-servlet-engine | Will not fix | ||
| Red Hat Enterprise Linux 8 | tomcat | Fixed | RHSA-2024:3666 | 06.06.2024 |
| Red Hat Enterprise Linux 8.8 Extended Update Support | tomcat | Fixed | RHSA-2024:3814 | 11.06.2024 |
| Red Hat Enterprise Linux 9 | tomcat | Fixed | RHSA-2024:3307 | 23.05.2024 |
| Red Hat Enterprise Linux 9.2 Extended Update Support | tomcat | Fixed | RHSA-2024:3308 | 23.05.2024 |
| Red Hat JBoss Web Server 5 | tomcat | Fixed | RHSA-2024:1914 | 07.05.2024 |
| Red Hat JBoss Web Server 5.8 on RHEL 7 | jws5-tomcat | Fixed | RHSA-2024:1913 | 07.05.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Denial of Service via incomplete cleanup vulnerability in Apache Tomca ...
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat
Уязвимость сервера приложений Apache Tomcat, связанная с неполной очисткой временных или вспомогательных ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3