This security bulletin contains one medium risk vulnerability.
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists within the HTTP/2 implementation in Apache Tomcat that accepts streams with excessive numbers of SETTINGS frames and also permits clients to keep streams open without reading/writing request/response data. A remote attacker can exhaust all available threads on the server and perform denial of service attack.Mitigation
Install updates from vendor's website.Vulnerable software versions
Apache Tomcat: 8.5.0 - 9.0.14Fixed software versions
Q & A
Can this vulnerability be exploited remotely?
How the attacker can exploit this vulnerability?
Is there known malware, which exploits this vulnerability?