[JRASERVER-69100] Upgrade Tomcat to 8.5.38 to fix CVE-2019-0199

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.2.2
Affects Version/s: 7.13.2, 7.6.12, 8.0.2
Component/s: Tomcat
Labels:

Introduced in Version:
7.06
Support reference count:
3
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Denial of service in Apache Tomcat CVE-2019-0199

A vulnerability was found in Apache Tomcat version from 9.0.0.M1 to 9.0.14 inclusive and 8.5.0 to 8.5.37 inclusive. The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Workaround

Upgrading to Tomcat 9.0.16 will fix the issue.

Fixed Versions

>= 8.5.38

>= 9.0.16

is duplicated by

JRASERVER-69145 Upgrade Tomcat to the version 8.5.38 and later

Closed

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Loading...

(1 mentioned in)

Glenn Bieger added a comment - 15/May/2019 12:29 AM

That's great news. Thanks pdrygas

Glenn Bieger added a comment - 15/May/2019 12:29 AM That's great news. Thanks pdrygas

Glenn Bieger added a comment - 06/May/2019 3:49 AM

Hi pdrygas, dblack - following up on this one. The SLA due date of this ticket is 11 days away. Are we on track?

Glenn Bieger added a comment - 06/May/2019 3:49 AM Hi pdrygas , dblack - following up on this one. The SLA due date of this ticket is 11 days away. Are we on track?

Andriy Yakovlev [Atlassian] added a comment - 02/Apr/2019 11:11 AM

pdrygas
Quick question, will be disabling the HTTP/2 an appropriate workaround?

thanks.

Andriy Yakovlev [Atlassian] added a comment - 02/Apr/2019 11:11 AM pdrygas Quick question, will be disabling the HTTP/2 an appropriate workaround? thanks.

Assignee:: Pawel Przytarski

Reporter:: Pawel Drygas (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 11 Start watching this issue

Created:: 02/Apr/2019 5:50 AM

Updated:: 08/Jul/2020 3:01 PM

Resolved:: 13/Jun/2019 2:41 PM

Jira Data Center

Details

Description

Denial of service in Apache Tomcat CVE-2019-0199

Fixed Versions

Attachments

Issue Links

Forms

Activity

Collapse comment: Glenn Bieger added a comment - 15/May/2019 12:29 AM

Expand comment: Glenn Bieger added a comment - 15/May/2019 12:29 AM

Collapse comment: Glenn Bieger added a comment - 06/May/2019 3:49 AM

Expand comment: Glenn Bieger added a comment - 06/May/2019 3:49 AM

Collapse comment: Andriy Yakovlev [Atlassian] added a comment - 02/Apr/2019 11:11 AM

Expand comment: Andriy Yakovlev [Atlassian] added a comment - 02/Apr/2019 11:11 AM

People

Dates