Resource management error in Apache Tomcat

#VU20992 Resource management error in Apache Tomcat

Published: 2019-09-10 | Updated: 2020-01-20

Vulnerability identifier: #VU20992

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2019-10072

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
Apache Tomcat
Server applications / Web servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incomplete fix for SB2019020812 when processing HTTP/2 requests. A remote attacker can perform denial of service attack by not sending WINDOW_UPDATE messages for the connection window (stream 0).

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Tomcat: 9.0.0 - 9.0.19, 8.5.0 - 8.5.39

Fixed software versions

CPE

cpe:2.3:a:apache_foundation:apache_tomcat:9.0.18:*:*:*:*:*:*:*

External links
http://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Resource management error in Dell EMC Power Protect Data Manager

Multiple vulnerabilities in Siebel Apps - Marketing

Debian update for tomcat9

Multiple vulnerabilities in Oracle Retail Xstore Point of Service

Multiple vulnerabilities in Oracle Communications Session Route Manager

Multiple vulnerabilities in Oracle Communications Session Report Manager

Multiple vulnerabilities in Oracle Communications Element Manager

Multiple vulnerabilities in Oracle Communications Instant Messaging Server

Multiple vulnerabilities in Oracle Database Server

Multiple vulnerabilities in Oracle Agile PLM Framework