Описание
Security update for tomcat
This update for tomcat fixes the following issues:
- CVE-2024-24549: Fixed denial of service during header validation for HTTP/2 stream (bsc#1221386)
- CVE-2024-23672: Fixed denial of service due to malicious WebSocket client keeping connection open (bsc#1221385)
Список пакетов
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server for SAP Applications 12 SP5
Ссылки
- Link for SUSE-SU-2024:1205-1
- E-Mail link for SUSE-SU-2024:1205-1
- SUSE Security Ratings
- SUSE Bug 1221385
- SUSE Bug 1221386
- SUSE CVE CVE-2024-23672 page
- SUSE CVE CVE-2024-24549 page
Описание
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Затронутые продукты
Ссылки
- CVE-2024-23672
- SUSE Bug 1221385
Описание
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Затронутые продукты
Ссылки
- CVE-2024-24549
- SUSE Bug 1221386