Bug 2269607 (CVE-2024-24549) - CVE-2024-24549 : Apache Tomcat: HTTP/2 header handling DoS
Summary: CVE-2024-24549 : Apache Tomcat: HTTP/2 header handling DoS
Keywords:
Status: NEW
Alias: CVE-2024-24549
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2269611
Blocks: 2270597
TreeView+ depends on / blocked
 
Reported: 2024-03-14 20:59 UTC by Zack Miele
Modified: 2024-11-26 22:17 UTC (History)
8 users (show)

Fixed In Version: Apache Tomcat 11.0.0-M17, Apache Tomcat 10.1.19, Apache Tomcat 9.0.86, Apache Tomcat 8.5.99
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:1318 0 None None None 2024-03-18 11:16:13 UTC
Red Hat Product Errata RHSA-2024:1319 0 None None None 2024-03-18 11:13:52 UTC
Red Hat Product Errata RHSA-2024:1324 0 None None None 2024-03-18 14:53:12 UTC
Red Hat Product Errata RHSA-2024:1325 0 None None None 2024-03-18 14:54:02 UTC
Red Hat Product Errata RHSA-2024:3307 0 None None None 2024-05-23 06:15:10 UTC
Red Hat Product Errata RHSA-2024:3308 0 None None None 2024-05-23 06:13:44 UTC
Red Hat Product Errata RHSA-2024:3666 0 None None None 2024-06-06 08:37:57 UTC
Red Hat Product Errata RHSA-2024:3814 0 None None None 2024-06-11 17:29:57 UTC

Description Zack Miele 2024-03-14 20:59:53 UTC 
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.

Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg
Comment 1 Zack Miele 2024-03-14 21:32:19 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 2269611]
Comment 4 errata-xmlrpc 2024-03-18 11:13:51 UTC 
This issue has been addressed in the following products:

  JWS 5.7.8

Via RHSA-2024:1319 https://access.redhat.com/errata/RHSA-2024:1319
Comment 5 errata-xmlrpc 2024-03-18 11:16:12 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2024:1318 https://access.redhat.com/errata/RHSA-2024:1318
Comment 6 errata-xmlrpc 2024-03-18 14:53:10 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 6.0 on RHEL 8
  Red Hat JBoss Web Server 6.0 on RHEL 9

Via RHSA-2024:1324 https://access.redhat.com/errata/RHSA-2024:1324
Comment 7 errata-xmlrpc 2024-03-18 14:54:01 UTC 
This issue has been addressed in the following products:

  JWS 6.0.1

Via RHSA-2024:1325 https://access.redhat.com/errata/RHSA-2024:1325
Comment 10 errata-xmlrpc 2024-05-23 06:13:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:3308 https://access.redhat.com/errata/RHSA-2024:3308
Comment 11 errata-xmlrpc 2024-05-23 06:15:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:3307 https://access.redhat.com/errata/RHSA-2024:3307
Comment 13 Ben 2024-05-31 15:37:20 UTC 
Is there a fix coming for Red Hat Enterprise Linux 8, please?
Comment 16 errata-xmlrpc 2024-06-06 08:37:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3666 https://access.redhat.com/errata/RHSA-2024:3666
Comment 17 errata-xmlrpc 2024-06-11 17:29:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:3814 https://access.redhat.com/errata/RHSA-2024:3814
Note You need to log in before you can comment on or make changes to this bug.