PT-2018-3426 · Apache+2 · Apache Tomcat+2

Published

2018-10-04

·

Updated

2024-06-15

·

CVE-2019-0199

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions: Apache Tomcat versions 9.0.0.M1 through 9.0.14 Apache Tomcat versions 8.5.0 through 8.5.37
Description: The issue is related to the HTTP/2 implementation, which accepted streams with excessive numbers of SETTINGS frames and permitted clients to keep streams open without reading/writing request/response data. This allowed clients to cause server-side threads to block, leading to thread exhaustion and a denial of service (DoS). The problem is associated with uncontrolled resource consumption.
Recommendations: For Apache Tomcat versions 9.0.0.M1 through 9.0.14, update to a version that includes a fix for the HTTP/2 implementation issue to prevent thread exhaustion. For Apache Tomcat versions 8.5.0 through 8.5.37, update to a version that includes a fix for the HTTP/2 implementation issue to prevent thread exhaustion. As a temporary workaround, consider restricting the number of SETTINGS frames and implementing measures to prevent clients from keeping streams open indefinitely to minimize the risk of exploitation.

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALT-PU-2020-2892
ALT-PU-2020-3213
ALT-PU-2021-2858
BDU:2020-01022
CVE-2019-0199
DSA-4596-1
GHSA-QCXH-W3J9-58QR
GHSA-R53M-PFR5-7V87
MGASA-2019-0260
OPENSUSE-SU-2019:1673-1
OPENSUSE-SU-2019:1723-1
OPENSUSE-SU-2019:1808-1
OPENSUSE-SU-2019_1673-1
OPENSUSE-SU-2019_1723-1
OPENSUSE-SU-2019_1808-1
OPENSUSE-SU-2024:11468-1
OPENSUSE-SU-2024:13441-1
RHSA-2019:3929
SUSE-SU-2019:1693-1
SUSE-SU-2019:1825-1
SUSE-SU-2019:1866-1
SUSE-SU-2019:1895-1
SUSE-SU-2019_1693-1
SUSE-SU-2019_1825-1
SUSE-SU-2019_1866-1
SUSE-SU-2019_1895-1

Affected Products

Alt Linux
Apache Tomcat
Suse