CVE-2017-5650

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.0 through 8.5.12 Apache Tomcat versions 9.0.0.M1 through 9.0.0.M18

Description The handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.

Recommendations For Apache Tomcat versions 8.5.0 through 8.5.12, update to a version that includes the fix for this issue. For Apache Tomcat versions 9.0.0.M1 through 9.0.0.M18, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the number of concurrent HTTP/2 requests to minimize the risk of exploitation.