Bug 2269607 (CVE-2024-24549)
| Summary: | CVE-2024-24549 : Apache Tomcat: HTTP/2 header handling DoS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Zack Miele <zmiele> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | arsingh, ben.argyle, csutherl, jclere, jwright, pjindal, plodge, szappis |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Apache Tomcat 11.0.0-M17, Apache Tomcat 10.1.19, Apache Tomcat 9.0.86, Apache Tomcat 8.5.99 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A vulnerability was found in the Tomcat package due to its handling of HTTP/2 requests. Specifically, when an HTTP/2 request surpasses the predetermined limits for headers configured within the server, the associated HTTP/2 stream isn't reset immediately. Instead, the reset action occurs only after all the headers within the request have been processed. This lapse in resetting the stream exposes the system to potential risks, as it allows malicious actors to exploit the delay in stream reset to carry out various attacks, such as header manipulation or resource exhaustion.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2269611 | ||
| Bug Blocks: | 2270597 | ||
|
Description
Zack Miele
2024-03-14 20:59:53 UTC
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 2269611] This issue has been addressed in the following products: JWS 5.7.8 Via RHSA-2024:1319 https://access.redhat.com/errata/RHSA-2024:1319 This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2024:1318 https://access.redhat.com/errata/RHSA-2024:1318 This issue has been addressed in the following products: Red Hat JBoss Web Server 6.0 on RHEL 8 Red Hat JBoss Web Server 6.0 on RHEL 9 Via RHSA-2024:1324 https://access.redhat.com/errata/RHSA-2024:1324 This issue has been addressed in the following products: JWS 6.0.1 Via RHSA-2024:1325 https://access.redhat.com/errata/RHSA-2024:1325 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:3308 https://access.redhat.com/errata/RHSA-2024:3308 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:3307 https://access.redhat.com/errata/RHSA-2024:3307 Is there a fix coming for Red Hat Enterprise Linux 8, please? This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:3666 https://access.redhat.com/errata/RHSA-2024:3666 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:3814 https://access.redhat.com/errata/RHSA-2024:3814 |