ASA-2019-00371 – Apache Tomcat: HTTP/2 DoS

The fix for CVE-2019-0199 was incomplete and did not address connection window exhaustion on write. By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.