Back to search
CVE-2019-0199
Published: Apr 10, 2019
Modified: Aug 4, 2024
PUBLISHED
Description
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
| Vendor | Product | Versions |
|---|---|---|
n/a | Apache Tomcat | affected Apache Tomcat 9.0.0.M1 to 9.0.14, 8.5.0 to 8.5.37 |
References
[tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
mailing-list
x_refsource_MLIST
https://security.netapp.com/advisory/ntap-20190419-0001/
x_refsource_CONFIRM
[tomee-commits] 20190528 [jira] [Closed] (TOMEE-2497) Upgrade Tomcat in TomEE 7.0.x/7.1.x/8.0.x for CVE-2019-0199
mailing-list
x_refsource_MLIST
[tomcat-users] 20190620 Re: [EXTERNAL] [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
mailing-list
x_refsource_MLIST
[tomcat-dev] 20190620 [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
mailing-list
x_refsource_MLIST
[announce] 20190620 [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
mailing-list
x_refsource_MLIST
[tomcat-announce] 20190620 [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
mailing-list
x_refsource_MLIST
[tomcat-users] 20190620 [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
mailing-list
x_refsource_MLIST
[tomcat-dev] 20190620 [SECURITY][CORRECTION] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
mailing-list
x_refsource_MLIST
[tomcat-announce] 20190620 [SECURITY][CORRECTION] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
mailing-list
x_refsource_MLIST
[tomcat-users] 20190620 [SECURITY][CORRECTION] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
mailing-list
x_refsource_MLIST
[announce] 20190620 [SECURITY][CORRECTION] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
mailing-list
x_refsource_MLIST
FEDORA-2019-1a3f878d27
vendor-advisory
x_refsource_FEDORA
https://support.f5.com/csp/article/K17321505
x_refsource_CONFIRM
openSUSE-SU-2019:1673
vendor-advisory
x_refsource_SUSE
FEDORA-2019-d66febb5df
vendor-advisory
x_refsource_FEDORA
107674
vdb-entry
x_refsource_BID
openSUSE-SU-2019:1723
vendor-advisory
x_refsource_SUSE
openSUSE-SU-2019:1808
vendor-advisory
x_refsource_SUSE
RHSA-2019:3929
vendor-advisory
x_refsource_REDHAT
RHSA-2019:3931
vendor-advisory
x_refsource_REDHAT
DSA-4596
vendor-advisory
x_refsource_DEBIAN
20191229 [SECURITY] [DSA 4596-1] tomcat8 security update
mailing-list
x_refsource_BUGTRAQ
https://www.oracle.com/security-alerts/cpujan2020.html
x_refsource_MISC
[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/
mailing-list
x_refsource_MLIST
[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/
mailing-list
x_refsource_MLIST
https://www.oracle.com/security-alerts/cpuapr2020.html
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now