Upgrade Tomcat to 8.5.38 to fix CVE-2019-0199

XMLWordPrintable

    • 7.06
    • 3
    • Severity 2 - Major

      Denial of service in Apache Tomcat CVE-2019-0199

      A vulnerability was found in Apache Tomcat version from 9.0.0.M1 to 9.0.14 inclusive and 8.5.0 to 8.5.37 inclusive. The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

       
      Workaround

      Upgrading to Tomcat 9.0.16 will fix the issue.

      Fixed Versions

      • >= 8.5.38
      • >= 9.0.16

            Assignee:
            Pawel Przytarski
            Reporter:
            Pawel Drygas (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated:
              Resolved: