[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 13 Mar 2024 15:47:54 +0000
From: Mark Thomas <markt@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-24549: Apache Tomcat: HTTP/2 header handling DoS
Severity: important
Affected versions:
- Apache Tomcat 11.0.0-M1 through 11.0.0-M16
- Apache Tomcat 10.1.0-M1 through 10.1.18
- Apache Tomcat 9.0.0-M1 through 9.0.85
- Apache Tomcat 8.5.0 through 8.5.98
Description:
Denial of Service due to improper input validation vulnerability for
HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if
the request exceeded any of the configured limits for headers, the
associated HTTP/2 stream was not reset until after all of the headers
had been processed.This issue affects Apache Tomcat: from 11.0.0-M1
through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1
through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86
or 8.5.99 which fix the issue.
Credit:
Bartek Nowotarski (finder)
References:
https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-24549
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
