|
|
|||
| Rule General Information |
|---|
| Release Date: | 2020-05-20 | |
| Rule Name: | Apache Tomcat HTTP2 Denial of Service Vulnerability (CVE-2019-0199) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. | |
| Impact: | An attacker can launch a denial of service attack by exploiting the vulnerability successfully. | |
| Affected OS: | Windows, Linux | |
| Reference: | SecurityFocusBID:107674 http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html |
|
| Solutions |
|---|
| The vendors have released upgrade patches to fix vulnerabilities, please visit: https://tomcat.apache.org/security-8.html |