https://bugzilla.redhat.com/show_bug.cgi?id=1693325
Bug ID: 1693325 Summary: CVE-2019-0199 tomcat: Apache Tomcat HTTP/2 DoS Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=important,public=20190325,reported=20190326,sou rce=internet,cvss3=7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S: U/C:N/I:N/A:H,cwe=CWE-400,fedora-all/tomcat=affected,r hscl-3/rh-java-common-tomcat=notaffected,bpms-6/tomcat =notaffected,brms-6/tomcat=notaffected,epel-all/tomcat =notaffected,brms-5/jbossweb=notaffected,eap-6/jbosswe b=notaffected,eap-5/jbossweb=notaffected,jdg-6/jbosswe b=notaffected,jdg-7/tomcat=notaffected,jdv-6/jbossweb= notaffected,fuse-6/tomcat=notaffected,fuse-7/tomcat=no taffected,fsw-6/jbossweb=notaffected,soap-5/jbossweb=n otaffected,springboot-1/tomcat=notaffected,jbews-2/tom cat6=notaffected,jws-3/tomcat7=notaffected,rhel-7/tomc at=notaffected,jbews-2/tomcat7=notaffected,jws-3/tomca t8=new,rhel-6/tomcat6=notaffected,jon-3/jbossweb=notaf fected,jws-5/tomcat=new Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: lpardo@redhat.com CC: aileenc@redhat.com, alazarot@redhat.com, alee@redhat.com, anstephe@redhat.com, apintea@redhat.com, avibelli@redhat.com, bgeorges@redhat.com, bmaxwell@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, cmoulliard@redhat.com, coolsvap@gmail.com, csutherl@redhat.com, darran.lofthouse@redhat.com, dimitris@redhat.com, dosoudil@redhat.com, drieden@redhat.com, etirelli@redhat.com, fgavrilo@redhat.com, gvarsami@redhat.com, gzaronik@redhat.com, hhorak@redhat.com, ibek@redhat.com, ikanello@redhat.com, ivan.afonichev@gmail.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jclere@redhat.com, jcoleman@redhat.com, jdoyle@redhat.com, jolee@redhat.com, jondruse@redhat.com, jorton@redhat.com, jpallich@redhat.com, jschatte@redhat.com, jshepherd@redhat.com, jstastny@redhat.com, kconner@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, kverlaen@redhat.com, ldimaggi@redhat.com, lgao@redhat.com, loleary@redhat.com, lpetrovi@redhat.com, lthon@redhat.com, mbabacek@redhat.com, mizdebsk@redhat.com, mszynkie@redhat.com, myarboro@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pgallagh@redhat.com, pgier@redhat.com, pjurak@redhat.com, ppalaga@redhat.com, psakar@redhat.com, pslavice@redhat.com, pszubiak@redhat.com, rnetuka@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, rwagner@redhat.com, rzhang@redhat.com, sdaley@redhat.com, spinder@redhat.com, tcunning@redhat.com, theute@redhat.com, tkirby@redhat.com, trogers@redhat.com, twalsh@redhat.com, vhalbert@redhat.com, vtunka@redhat.com, weli@redhat.com Target Milestone: --- Classification: Other
A vulnerability was found in Apache Tomcat version from 9.0.0.M1 to 9.0.14 inclusive and 8.5.0 to 8.5.37 inclusive. The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
References: https://mail-archives.apache.org/mod_mbox/tomcat-announce/201903.mbox/browse... http://tomcat.apache.org/security-9.html http://tomcat.apache.org/security-8.html