You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2019/06/20 19:24:58 UTC
[SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
CVE-2019-10072 Apache Tomcat HTTP/2 DoS
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.19
Apache Tomcat 8.5.0 to 8.5.40
Description:
The fix for CVE-2019-0199 was incomplete and did not address connection
window exhaustion on write. By not sending WINDOW_UPDATE messages for
the connection window (stream 0) clients were able
to cause server-side threads to block eventually leading to thread
exhaustion and a DoS.
Mitigation:
Users of affected versions should apply one of the following mitigations:
- Upgrade to Apache Tomcat 9.0.20 or later
- Upgrade to Apache Tomcat 8.5.40 or later
Credit:
John Simpson of Trend Micro Security Research working with Trend
Micro's Zero Day Initiative
References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [EXTERNAL] [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
Posted by Mark Thomas <ma...@apache.org>.
On 20/06/2019 20:35, Amit Pande wrote:
> Could you please clarify:
>
> Affected versions 8.5.0 to 8.5.40
> Mitigation says: 8.5.40 or later
>
> What am I missing?
Nothing.
The affected versions are correct.
The mitigation is not. It should be 8.5.41 or later. I'll issue a
correction.
Thanks for pointing this out.
Mark
>
>
>> On Jun 20, 2019, at 2:25 PM, Mark Thomas <ma...@apache.org> wrote:
>>
>> CVE-2019-10072 Apache Tomcat HTTP/2 DoS
>>
>> Severity: Important
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected:
>> Apache Tomcat 9.0.0.M1 to 9.0.19
>> Apache Tomcat 8.5.0 to 8.5.40
>>
>> Description:
>> The fix for CVE-2019-0199 was incomplete and did not address connection
>> window exhaustion on write. By not sending WINDOW_UPDATE messages for
>> the connection window (stream 0) clients were able
>> to cause server-side threads to block eventually leading to thread
>> exhaustion and a DoS.
>>
>> Mitigation:
>> Users of affected versions should apply one of the following mitigations:
>> - Upgrade to Apache Tomcat 9.0.20 or later
>> - Upgrade to Apache Tomcat 8.5.40 or later
>>
>> Credit:
>> John Simpson of Trend Micro Security Research working with Trend
>> Micro's Zero Day Initiative
>>
>> References:
>> [1] http://tomcat.apache.org/security-9.html
>> [2] http://tomcat.apache.org/security-8.html
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [EXTERNAL] [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
Posted by Amit Pande <Am...@veritas.com>.
Could you please clarify:
Affected versions 8.5.0 to 8.5.40
Mitigation says: 8.5.40 or later
What am I missing?
> On Jun 20, 2019, at 2:25 PM, Mark Thomas <ma...@apache.org> wrote:
>
> CVE-2019-10072 Apache Tomcat HTTP/2 DoS
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.19
> Apache Tomcat 8.5.0 to 8.5.40
>
> Description:
> The fix for CVE-2019-0199 was incomplete and did not address connection
> window exhaustion on write. By not sending WINDOW_UPDATE messages for
> the connection window (stream 0) clients were able
> to cause server-side threads to block eventually leading to thread
> exhaustion and a DoS.
>
> Mitigation:
> Users of affected versions should apply one of the following mitigations:
> - Upgrade to Apache Tomcat 9.0.20 or later
> - Upgrade to Apache Tomcat 8.5.40 or later
>
> Credit:
> John Simpson of Trend Micro Security Research working with Trend
> Micro's Zero Day Initiative
>
> References:
> [1] http://tomcat.apache.org/security-9.html
> [2] http://tomcat.apache.org/security-8.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org