Описание
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.
Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
A vulnerability was found in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This issue led to a miscounting of active HTTP/2 streams, which in turn led to using an incorrect infinite timeout that allowed connections to remain open that should have been closed.
Отчет
This vulnerability in Apache Tomcat is significant due to its impact on the stability and security of web applications relying on HTTP/2. The improper handling of excessive HTTP headers during HTTP/2 stream processing leads to an inaccurate count of active streams. This miscount causes the application to apply an incorrect infinite timeout, allowing connections to persist indefinitely. Such behavior results in uncontrolled resource consumption, potentially exhausting server resources and leading to denial of service (DoS) conditions. By exploiting this flaw, an attacker could degrade the performance or availability of the server.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | tomcat6 | Not affected | ||
| Red Hat Enterprise Linux 7 | tomcat | Not affected | ||
| Red Hat Enterprise Linux 9 | pki-servlet-engine | Will not fix | ||
| Red Hat Enterprise Linux 8 | tomcat | Fixed | RHSA-2024:5694 | 21.08.2024 |
| Red Hat Enterprise Linux 8.8 Extended Update Support | tomcat | Fixed | RHSA-2024:5695 | 21.08.2024 |
| Red Hat Enterprise Linux 9 | tomcat | Fixed | RHSA-2024:5693 | 21.08.2024 |
| Red Hat Enterprise Linux 9.2 Extended Update Support | tomcat | Fixed | RHSA-2024:5696 | 21.08.2024 |
| Red Hat JBoss Web Server 5 | jws5-tomcat | Fixed | RHSA-2024:5025 | 06.08.2024 |
| Red Hat JBoss Web Server 5.8 on RHEL 7 | jws5-tomcat | Fixed | RHSA-2024:5024 | 06.08.2024 |
| Red Hat JBoss Web Server 5.8 on RHEL 8 | jws5-tomcat | Fixed | RHSA-2024:5024 | 06.08.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
Improper Handling of Exceptional Conditions, Uncontrolled Resource Con ...
EPSS
7.5 High
CVSS3