PT-2019-3926 · Apache+3 · Apache Tomcat+3

Published

2019-05-13

·

Updated

2024-06-15

·

CVE-2019-10072

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.0 through 8.5.40 Apache Tomcat versions 9.0.0.M1 through 9.0.19
Description The issue is related to an uncontrolled resource consumption in the Apache Tomcat server. It can be exploited by a remote attacker to cause a denial of service (DoS) in case no WINDOW UPDATE message is sent for the connection window (stream 0). This can lead to thread exhaustion on the server-side, causing the server to become unresponsive. The estimated number of potentially affected devices is not specified.
Recommendations For Apache Tomcat versions 8.5.0 through 8.5.40, update to a version that includes the complete fix for the issue. For Apache Tomcat versions 9.0.0.M1 through 9.0.19, update to a version that includes the complete fix for the issue. As a temporary workaround, consider restricting access to the HTTP/2 connection window to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

DoS

Improper Locking

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-667CWE-400

Related Identifiers

ALT-PU-2020-2892
ALT-PU-2020-3213
ALT-PU-2021-2858
BDU:2019-04404
CVE-2019-10072
DSA-4680-1
GHSA-Q4HG-RMQ2-52Q9
MGASA-2019-0260
OPENSUSE-SU-2020:0038-1
OPENSUSE-SU-2020_0038-1
OPENSUSE-SU-2024:11468-1
OPENSUSE-SU-2024:13441-1
RHSA-2019:3929
SUSE-SU-2019:1866-1
SUSE-SU-2020:0029-1
SUSE-SU-2020:0226-1
SUSE-SU-2020:0632-1
SUSE-SU-2020_0029-1
SUSE-SU-2020_0226-1
USN-4128-1
USN-4128-2
ZDI-19-582

Affected Products

Alt Linux
Apache Tomcat
Suse
Ubuntu