https://bugzilla.redhat.com/show_bug.cgi?id=1693325
Bug ID: 1693325
Summary: CVE-2019-0199 tomcat: Apache Tomcat HTTP/2 DoS
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=important,public=20190325,reported=20190326,sou
rce=internet,cvss3=7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:
U/C:N/I:N/A:H,cwe=CWE-400,fedora-all/tomcat=affected,r
hscl-3/rh-java-common-tomcat=notaffected,bpms-6/tomcat
=notaffected,brms-6/tomcat=notaffected,epel-all/tomcat
=notaffected,brms-5/jbossweb=notaffected,eap-6/jbosswe
b=notaffected,eap-5/jbossweb=notaffected,jdg-6/jbosswe
b=notaffected,jdg-7/tomcat=notaffected,jdv-6/jbossweb=
notaffected,fuse-6/tomcat=notaffected,fuse-7/tomcat=no
taffected,fsw-6/jbossweb=notaffected,soap-5/jbossweb=n
otaffected,springboot-1/tomcat=notaffected,jbews-2/tom
cat6=notaffected,jws-3/tomcat7=notaffected,rhel-7/tomc
at=notaffected,jbews-2/tomcat7=notaffected,jws-3/tomca
t8=new,rhel-6/tomcat6=notaffected,jon-3/jbossweb=notaf
fected,jws-5/tomcat=new
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: lpardo(a)redhat.com
CC: aileenc(a)redhat.com, alazarot(a)redhat.com,
alee(a)redhat.com, anstephe(a)redhat.com,
apintea(a)redhat.com, avibelli(a)redhat.com,
bgeorges(a)redhat.com, bmaxwell(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
cmoulliard(a)redhat.com, coolsvap(a)gmail.com,
csutherl(a)redhat.com, darran.lofthouse(a)redhat.com,
dimitris(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, etirelli(a)redhat.com,
fgavrilo(a)redhat.com, gvarsami(a)redhat.com,
gzaronik(a)redhat.com, hhorak(a)redhat.com,
ibek(a)redhat.com, ikanello(a)redhat.com,
ivan.afonichev(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jbalunas(a)redhat.com,
jclere(a)redhat.com, jcoleman(a)redhat.com,
jdoyle(a)redhat.com, jolee(a)redhat.com,
jondruse(a)redhat.com, jorton(a)redhat.com,
jpallich(a)redhat.com, jschatte(a)redhat.com,
jshepherd(a)redhat.com, jstastny(a)redhat.com,
kconner(a)redhat.com, krathod(a)redhat.com,
krzysztof.daniel(a)gmail.com, kverlaen(a)redhat.com,
ldimaggi(a)redhat.com, lgao(a)redhat.com,
loleary(a)redhat.com, lpetrovi(a)redhat.com,
lthon(a)redhat.com, mbabacek(a)redhat.com,
mizdebsk(a)redhat.com, mszynkie(a)redhat.com,
myarboro(a)redhat.com, nwallace(a)redhat.com,
paradhya(a)redhat.com, pgallagh(a)redhat.com,
pgier(a)redhat.com, pjurak(a)redhat.com,
ppalaga(a)redhat.com, psakar(a)redhat.com,
pslavice(a)redhat.com, pszubiak(a)redhat.com,
rnetuka(a)redhat.com, rrajasek(a)redhat.com,
rruss(a)redhat.com, rstancel(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
rwagner(a)redhat.com, rzhang(a)redhat.com,
sdaley(a)redhat.com, spinder(a)redhat.com,
tcunning(a)redhat.com, theute(a)redhat.com,
tkirby(a)redhat.com, trogers(a)redhat.com,
twalsh(a)redhat.com, vhalbert(a)redhat.com,
vtunka(a)redhat.com, weli(a)redhat.com
Target Milestone: ---
Classification: Other
A vulnerability was found in Apache Tomcat version from 9.0.0.M1 to 9.0.14
inclusive and 8.5.0 to 8.5.37 inclusive. The HTTP/2 implementation accepted
streams with excessive numbers of SETTINGS frames and also permitted clients to
keep streams open without reading/writing request/response data. By keeping
streams open for requests that utilised the Servlet API's blocking I/O, clients
were able to cause server-side threads to block eventually leading to thread
exhaustion and a DoS.
References:
https://mail-archives.apache.org/mod_mbox/tomcat-announce/201903.mbox/bro...
http://tomcat.apache.org/security-9.html
http://tomcat.apache.org/security-8.html
--
You are receiving this mail because:
You are on the CC list for the bug.