Bug 2295651 (CVE-2024-34750)
| Summary: | CVE-2024-34750 tomcat: Improper Handling of Exceptional Conditions | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | csutherl, ecrosby, jclere, jwakely, pjindal, plodge, prodsec-dev, sbalasub, szappis |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A vulnerability was found in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This issue led to a miscounting of active HTTP/2 streams, which in turn led to using an incorrect infinite timeout that allowed connections to remain open that should have been closed.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2295705 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2024-07-03 20:41:16 UTC
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2024:5025 https://access.redhat.com/errata/RHSA-2024:5025 This issue has been addressed in the following products: Red Hat JBoss Web Server 5.8 on RHEL 7 Red Hat JBoss Web Server 5.8 on RHEL 8 Red Hat JBoss Web Server 5.8 on RHEL 9 Via RHSA-2024:5024 https://access.redhat.com/errata/RHSA-2024:5024 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2024:4977 https://access.redhat.com/errata/RHSA-2024:4977 This issue has been addressed in the following products: Red Hat JBoss Web Server 6.0 on RHEL 8 Red Hat JBoss Web Server 6.0 on RHEL 9 Via RHSA-2024:4976 https://access.redhat.com/errata/RHSA-2024:4976 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:5694 https://access.redhat.com/errata/RHSA-2024:5694 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:5695 https://access.redhat.com/errata/RHSA-2024:5695 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:5693 https://access.redhat.com/errata/RHSA-2024:5693 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:5696 https://access.redhat.com/errata/RHSA-2024:5696 The best way to address this vulnerability is to update your Apache Tomcat installation to the latest https://block-blast.io version. Thank you for providing very useful information! Play game https://smashy-road.io free. The most effective way to resolve this vulnerability is by updating your Apache Tomcat installation to the latest version of https://history-spot.com Thanks for this info! Play game https://football-bros.io free. Uncontrolled Resource Consumption vulnerability in Apache Tomcat. Also addressed at: https://leveldevil2.com his issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Copy and paste emojis for Twitter, Facebook, Slack, Instagram, Snapchat, Slack, GitHub, Instagram, WhatsApp and more.👀Lookup, ✨Convert, and Get Emoji! 🔥. The Only trusted website for copying emojis is https://copyemojies.com With our giant free collection of emojis, you can easily find the right one to use. Just click to select and copy and paste them into anywhere you want! Hi all, I’ve been digging into this HTTP/2 stream issue since I ran into something similar on a system running Tomcat 10.1.23. Has anyone tried diving deeper into debugging to figure out how this infinite timeout could potentially be exploited? I came across some extra info on another site https://blockblast-online.io/ that mentioned how stream miscounting might impact server performance, but it’s still a bit unclear to me. Thanks to the Red Hat team for the quick patches—gonna give 10.1.25 a shot and see how it goes! Hey everyone, I’ve been looking into an HTTP/2 stream issue that I encountered on a system running Tomcat 10.1.23. Has anyone done a deep dive into debugging this to understand how an infinite timeout could potentially be exploited? I found some additional info on another site, https://tiktokpromod.com/, that discusses how stream miscounting could affect server performance, but it’s still a bit unclear to me. Big thanks to the Red Hat team for the fast patches—I’ll be testing out 10.1.25 to see if that resolves the issue! Thank you for producing such a fascinating essay on this subject. This has sparked a lot of thought in me, and I'm looking forward to reading more https://escaperoad2.io |