|
|||
Rule General Information |
---|
Release Date: | 2020-05-20 | |
Rule Name: | Apache Tomcat HTTP2 Denial of Service Vulnerability (CVE-2019-0199) | |
Severity: | ||
CVE ID: | ||
Rule Protection Details |
---|
Description: | The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. | |
Impact: | An attacker can launch a denial of service attack by exploiting the vulnerability successfully. | |
Affected OS: | Windows, Linux | |
Reference: | SecurityFocusBID:107674 http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00013.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.html |
|
Solutions |
---|
The vendors have released upgrade patches to fix vulnerabilities, please visit: https://tomcat.apache.org/security-8.html |