Описание
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected.
Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue.
Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.
A vulnerability was found in Tomcat. Under certain configurations on any platform, this flaw allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.
Отчет
CVE-2024-38286 represents an important security issue due to its potential to cause an OutOfMemoryError through the exploitation of the TLS handshake process in Apache Tomcat. This vulnerability specifically impacts configurations using TLS 1.3, which is increasingly adopted for secure communications. The ability for an attacker to trigger an OutOfMemoryError can lead to a denial-of-service (DoS) condition, effectively rendering the application or server inoperable.
The issue only affects configurations that utilize TLS 1.3.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | tomcat6 | Out of support scope | ||
| Red Hat Enterprise Linux 7 | tomcat | Not affected | ||
| Red Hat Enterprise Linux 8 | pki-deps:10.6/pki-servlet-engine | Will not fix | ||
| Red Hat Enterprise Linux 9 | pki-servlet-engine | Affected | ||
| Red Hat Enterprise Linux 8 | tomcat | Fixed | RHSA-2024:5694 | 21.08.2024 |
| Red Hat Enterprise Linux 8.2 Advanced Update Support | pki-deps | Fixed | RHSA-2024:8567 | 29.10.2024 |
| Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support | pki-deps | Fixed | RHSA-2024:8497 | 28.10.2024 |
| Red Hat Enterprise Linux 8.4 Telecommunications Update Service | pki-deps | Fixed | RHSA-2024:8497 | 28.10.2024 |
| Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions | pki-deps | Fixed | RHSA-2024:8497 | 28.10.2024 |
| Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support | pki-deps | Fixed | RHSA-2024:8572 | 29.10.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.
Allocation of Resources Without Limits or Throttling vulnerability in ...
Apache Tomcat Allocation of Resources Without Limits or Throttling vulnerability
EPSS
7.5 High
CVSS3