Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 8.2.2
Affects Version/s: 7.13.2, 7.6.12, 8.0.2
Component/s: Tomcat
Labels:

Introduced in Version:
7.06
Support reference count:
3
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Denial of service in Apache Tomcat CVE-2019-0199

A vulnerability was found in Apache Tomcat version from 9.0.0.M1 to 9.0.14 inclusive and 8.5.0 to 8.5.37 inclusive. The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Workaround

Upgrading to Tomcat 9.0.16 will fix the issue.

Fixed Versions

>= 8.5.38

>= 9.0.16

Attachments

Issue Links

is duplicated by

JRASERVER-69145 Upgrade Tomcat to the version 8.5.38 and later

Closed

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(1 mentioned in)

Activity

People

Assignee:: Pawel Przytarski

Reporter:: Pawel Drygas (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Dates

Due:: 16/May/2019

Created:: 02/Apr/2019 5:50 AM

Updated:: 08/Jul/2020 3:01 PM

Resolved:: 13/Jun/2019 2:41 PM