Allele Security Alert
The Apache Software Foundation
Apache Tomcat versions 9.0.0.M1 to 9.0.19
Apache Tomcat versions 8.5.0 to 8.5.40
Apache Tomcat 9.0.20 or later
Apache Tomcat 8.5.41 or later
Proof of concept
The fix for CVE-2019-0199 was incomplete and did not address connection window exhaustion on write. By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
John Simpson (Trend Micro Security Research)
[SECURITY][CORRECTION] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
Apache Tomcat – Apache Tomcat 9 vulnerabilities
Apache Tomcat – Apache Tomcat 8 vulnerabilities
Expand HTTP/2 timeout handling to connection window exhaustion on write.
Fix test failures. Handle full allocation case.
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 2, 2019