Denial of service in Apache Tomcat



Published: 2019-02-08 | Updated: 2019-03-25
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-0199
CWE-ID CWE-400
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Apache Tomcat
Server applications / Web servers

Vendor Apache Foundation

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Resource exhaustion

EUVDB-ID: #VU18067

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-0199

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists within the HTTP/2 implementation in Apache Tomcat that accepts streams with excessive numbers of SETTINGS frames and also permits clients to keep streams open without reading/writing request/response data. A remote attacker can exhaust all available threads on the server and perform denial of service attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Apache Tomcat: 8.5.0 - 9.0.14

Fixed software versions

CPE2.3 External links

http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.16


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###