https://bugzilla.redhat.com/show_bug.cgi?id=1857040
--- Doc Text *updated* by RaTasha Tillery-Smith rtillery@redhat.com --- A flaw was found in Apache Tomcat, where an h2c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests are made, an OutOfMemoryException could occur, leading to a denial of service. The highest threat from this vulnerability is to system availability.
--- Comment #22 from RaTasha Tillery-Smith rtillery@redhat.com --- Statement:
Red Hat Certificate System 10.0 and Red Hat Enterprise Linux 8's Identity Management, are using a vulnerable version of Tomcat that is bundled into the pki-servlet-engine component. However, HTTP/2 is not enabled in such a configuration, and it is not possible to trigger the flaw in a supported setup. A future update may fix the code.