Описание
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 through 8.5.100.
Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
A denial of service flaw was found in Apache Tomcat. An uncontrolled resource consumption vulnerability, where an HTTP/2 client fails to acknowledge the initial settings frame that reduces the maximum permitted concurrent streams, could result in a denial of service.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | tomcat6 | Fix deferred | ||
| Red Hat Enterprise Linux 7 | tomcat | Fix deferred | ||
| Red Hat Enterprise Linux 8 | pki-deps:10.6/pki-servlet-engine | Fix deferred | ||
| Red Hat Enterprise Linux 9 | pki-servlet-engine | Fix deferred | ||
| Red Hat Enterprise Linux 10 | tomcat9 | Fixed | RHSA-2025:14178 | 20.08.2025 |
| Red Hat Enterprise Linux 10 | tomcat | Fixed | RHSA-2025:14179 | 20.08.2025 |
| Red Hat Enterprise Linux 8 | tomcat | Fixed | RHSA-2025:14177 | 20.08.2025 |
| Red Hat Enterprise Linux 8.8 Telecommunications Update Service | tomcat | Fixed | RHSA-2025:14182 | 20.08.2025 |
| Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions | tomcat | Fixed | RHSA-2025:14182 | 20.08.2025 |
| Red Hat Enterprise Linux 9 | tomcat | Fixed | RHSA-2025:14181 | 20.08.2025 |
Показывать по
Дополнительная информация
Статус:
5.3 Medium
CVSS3
Связанные уязвимости
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an ...
Apache Tomcat Coyote vulnerable to Denial of Service via excessive HTTP/2 streams
Уязвимость сервера приложений Apache Tomcat, связанная с неконтролируемым расходом ресурсов, позволяющая нарушителю вызвать отказ в обслуживании
5.3 Medium
CVSS3