2295651 – (CVE-2024-34750) CVE-2024-34750 tomcat: Improper Handling of Exceptional Conditions

Bug 2295651 (CVE-2024-34750) - CVE-2024-34750 tomcat: Improper Handling of Exceptional Conditions

Summary: CVE-2024-34750 tomcat: Improper Handling of Exceptional Conditions

Keywords:
Status:	NEW
Alias:	CVE-2024-34750
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2295705
Blocks:
TreeView+	depends on / blocked

Reported:	2024-07-03 20:41 UTC by OSIDB Bzimport
Modified:	2025-05-24 03:11 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2024:4976	None	None	None	2024-08-06 11:07:48 UTC
Red Hat Product Errata	RHSA-2024:4977	None	None	None	2024-08-06 11:07:19 UTC
Red Hat Product Errata	RHSA-2024:5024	None	None	None	2024-08-06 10:49:43 UTC
Red Hat Product Errata	RHSA-2024:5025	None	None	None	2024-08-06 10:49:20 UTC
Red Hat Product Errata	RHSA-2024:5693	None	None	None	2024-08-21 11:51:36 UTC
Red Hat Product Errata	RHSA-2024:5694	None	None	None	2024-08-21 11:48:37 UTC
Red Hat Product Errata	RHSA-2024:5695	None	None	None	2024-08-21 11:49:26 UTC
Red Hat Product Errata	RHSA-2024:5696	None	None	None	2024-08-21 11:54:02 UTC

Description OSIDB Bzimport 2024-07-03 20:41:16 UTC

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.

Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

Comment 4 errata-xmlrpc 2024-08-06 10:49:19 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2024:5025 https://access.redhat.com/errata/RHSA-2024:5025

Comment 5 errata-xmlrpc 2024-08-06 10:49:42 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.8 on RHEL 7
  Red Hat JBoss Web Server 5.8 on RHEL 8
  Red Hat JBoss Web Server 5.8 on RHEL 9

Via RHSA-2024:5024 https://access.redhat.com/errata/RHSA-2024:5024

Comment 6 errata-xmlrpc 2024-08-06 11:07:18 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2024:4977 https://access.redhat.com/errata/RHSA-2024:4977

Comment 7 errata-xmlrpc 2024-08-06 11:07:46 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Web Server 6.0 on RHEL 8
  Red Hat JBoss Web Server 6.0 on RHEL 9

Via RHSA-2024:4976 https://access.redhat.com/errata/RHSA-2024:4976

Comment 10 errata-xmlrpc 2024-08-21 11:48:36 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5694 https://access.redhat.com/errata/RHSA-2024:5694

Comment 11 errata-xmlrpc 2024-08-21 11:49:25 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:5695 https://access.redhat.com/errata/RHSA-2024:5695

Comment 12 errata-xmlrpc 2024-08-21 11:51:35 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:5693 https://access.redhat.com/errata/RHSA-2024:5693

Comment 13 errata-xmlrpc 2024-08-21 11:54:01 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:5696 https://access.redhat.com/errata/RHSA-2024:5696

Comment 14 Alicent Hightower 2024-09-11 04:01:31 UTC Comment hidden (spam)

The best way to address this vulnerability is to update your Apache Tomcat installation to the latest https://block-blast.io version.

Comment 15 bonitacaily 2024-09-30 09:07:03 UTC Comment hidden (spam)

Thank you for providing very useful information! Play game https://smashy-road.io free.

Comment 16 Jsmes Bond 2025-01-15 06:28:14 UTC Comment hidden (spam)

The most effective way to resolve this vulnerability is by updating your Apache Tomcat installation to the latest version of https://history-spot.com

Comment 17 Jsmes Bond 2025-01-15 06:29:46 UTC Comment hidden (spam)

Thanks for this info! Play game https://football-bros.io free.

Comment 18 Jsmes Bond 2025-01-15 06:31:12 UTC Comment hidden (spam)

Uncontrolled Resource Consumption vulnerability in Apache Tomcat. Also addressed at: https://leveldevil2.com

Comment 19 Hookz 2025-03-16 18:42:24 UTC Comment hidden (spam)

his issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support 
Copy and paste emojis for Twitter, Facebook, Slack, Instagram, Snapchat, Slack, GitHub, Instagram, WhatsApp and more.👀Lookup, ✨Convert, and Get Emoji! 🔥. The Only trusted website for copying emojis is https://copyemojies.com
With our giant free collection of emojis, you can easily find the right one to use. Just click to select and copy and paste them into anywhere you want!

Comment 20 John H Smith 2025-03-26 04:10:27 UTC Comment hidden (spam)

Hi all, I’ve been digging into this HTTP/2 stream issue since I ran into something similar on a system running Tomcat 10.1.23. Has anyone tried diving deeper into debugging to figure out how this infinite timeout could potentially be exploited? I came across some extra info on another site https://blockblast-online.io/ that mentioned how stream miscounting might impact server performance, but it’s still a bit unclear to me. Thanks to the Red Hat team for the quick patches—gonna give 10.1.25 a shot and see how it goes!

Comment 21 Eric Payne 2025-03-27 22:03:07 UTC Comment hidden (spam)

Hey everyone, I’ve been looking into an HTTP/2 stream issue that I encountered on a system running Tomcat 10.1.23. Has anyone done a deep dive into debugging this to understand how an infinite timeout could potentially be exploited? I found some additional info on another site, https://tiktokpromod.com/, that discusses how stream miscounting could affect server performance, but it’s still a bit unclear to me. Big thanks to the Red Hat team for the fast patches—I’ll be testing out 10.1.25 to see if that resolves the issue!

Comment 22 nancy266 2025-03-31 07:58:54 UTC Comment hidden (spam)

Thank you for producing such a fascinating essay on this subject. This has sparked a lot of thought in me, and I'm looking forward to reading more https://escaperoad2.io

Comment 24 walis 2025-05-03 12:45:47 UTC Comment hidden (spam)

I must say, I thought this was a pretty interesting read when it comes to thisC topic. Liked the material. . .
https://toysstore.ca
https://pokemon1999.com
https://onepiecemarket.com
https://iiptvkaufen.de
https://narutoshop.fr/figurine-naruto/
https://otaku-figure.com/
https://snoopy-merch.com/

Comment 25 kskvgjebnpc 2025-05-24 03:11:37 UTC

https://www.vapeshopee.com/home/

Note You need to log in before you can comment on or make changes to this bug.