[JRASERVER-69100] Upgrade Tomcat to 8.5.38 to fix CVE-2019-0199

Type: Bug
Resolution: Fixed
Priority: Low (View bug fix roadmap)
Fix Version/s: 8.2.2
Affects Version/s: 7.13.2, 7.6.12, 8.0.2
Component/s: Tomcat
Labels:

Introduced in Version:
7.06
Support reference count:
3
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Denial of service in Apache Tomcat CVE-2019-0199

A vulnerability was found in Apache Tomcat version from 9.0.0.M1 to 9.0.14 inclusive and 8.5.0 to 8.5.37 inclusive. The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Workaround

Upgrading to Tomcat 9.0.16 will fix the issue.

Fixed Versions

>= 8.5.38

>= 9.0.16

is duplicated by

JRASERVER-69145 Upgrade Tomcat to the version 8.5.38 and later

Closed

mentioned in: Page Failed to load; Page Failed to load; Page Failed to load; Page Failed to load; Page Loading...

(1 mentioned in)

lfisher made changes - 08/Jul/2020 3:01 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 492979 ]

lfisher made changes - 01/Jul/2020 4:57 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 491968 ]

David Black made changes - 12/Aug/2019 2:23 AM

Labels

Original: CVE-2019-0199 cvss-high patch-management security

New: CVE-2019-0199 advisory-released cvss-high patch-management security

David Black made changes - 12/Aug/2019 2:22 AM

Labels

Original: CVE-2019-0199 cvss-high security

New: CVE-2019-0199 cvss-high patch-management security

David Black made changes - 12/Aug/2019 2:22 AM

Security

Original: Atlassian Staff [ 10750 ]

Przemyslaw Czuj made changes - 13/Jun/2019 2:41 PM

Resolution		New: Fixed [ 1 ]
Status	Original: Waiting for Release [ 12075 ]	New: Closed [ 6 ]

Bugfix Automation Bot made changes - 07/Jun/2019 6:01 PM

Support reference count

Original: 2

New: 3

Przemyslaw Czuj made changes - 24/May/2019 11:56 AM

Fix Version/s		New: 8.2.2 [ 87096 ]
Fix Version/s	Original: 8.2.1 [ 86599 ]

Bugfix Automation Bot made changes - 18/May/2019 6:01 AM

Support reference count

Original: 1

New: 2

Glenn Bieger added a comment - 15/May/2019 12:29 AM

That's great news. Thanks pdrygas

Glenn Bieger added a comment - 15/May/2019 12:29 AM That's great news. Thanks pdrygas

Assignee:: Pawel Przytarski

Reporter:: Pawel Drygas (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 11 Start watching this issue

Created:: 02/Apr/2019 5:50 AM

Updated:: 08/Jul/2020 3:01 PM

Resolved:: 13/Jun/2019 2:41 PM

Jira Data Center

Details

Description

Denial of service in Apache Tomcat CVE-2019-0199

Fixed Versions

Attachments

Issue Links

Forms

Activity

Collapse comment: Glenn Bieger added a comment - 15/May/2019 12:29 AM

Expand comment: Glenn Bieger added a comment - 15/May/2019 12:29 AM

People

Dates