-
Bug
-
Resolution: Fixed
-
Low (View bug fix roadmap)
-
7.13.2, 7.6.12, 8.0.2
-
7.06
-
3
-
Severity 2 - Major
-
Denial of service in Apache Tomcat CVE-2019-0199
A vulnerability was found in Apache Tomcat version from 9.0.0.M1 to 9.0.14 inclusive and 8.5.0 to 8.5.37 inclusive. The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
Workaround
Upgrading to Tomcat 9.0.16 will fix the issue.
Fixed Versions
- >= 8.5.38
- >= 9.0.16
[JRASERVER-69100] Upgrade Tomcat to 8.5.38 to fix CVE-2019-0199
| Remote Link | New: This issue links to "Page (Confluence)" [ 492979 ] |
| Remote Link | New: This issue links to "Page (Confluence)" [ 491968 ] |
| Labels | Original: CVE-2019-0199 cvss-high patch-management security | New: CVE-2019-0199 advisory-released cvss-high patch-management security |
| Labels | Original: CVE-2019-0199 cvss-high security | New: CVE-2019-0199 cvss-high patch-management security |
| Security | Original: Atlassian Staff [ 10750 ] |
| Resolution | New: Fixed [ 1 ] | |
| Status | Original: Waiting for Release [ 12075 ] | New: Closed [ 6 ] |
| Support reference count | Original: 2 | New: 3 |
| Fix Version/s | New: 8.2.2 [ 87096 ] | |
| Fix Version/s | Original: 8.2.1 [ 86599 ] |
| Support reference count | Original: 1 | New: 2 |
| Fix Version/s | New: 8.2.1 [ 86599 ] |