Bug 2295651 (CVE-2024-34750) - CVE-2024-34750 tomcat: Improper Handling of Exceptional Conditions
Summary: CVE-2024-34750 tomcat: Improper Handling of Exceptional Conditions
Keywords:
Status: NEW
Alias: CVE-2024-34750
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2295705
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-03 20:41 UTC by OSIDB Bzimport
Modified: 2024-09-30 09:07 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This issue led to a miscounting of active HTTP/2 streams, which in turn led to using an incorrect infinite timeout that allowed connections to remain open that should have been closed.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:4976 0 None None None 2024-08-06 11:07:48 UTC
Red Hat Product Errata RHSA-2024:4977 0 None None None 2024-08-06 11:07:19 UTC
Red Hat Product Errata RHSA-2024:5024 0 None None None 2024-08-06 10:49:43 UTC
Red Hat Product Errata RHSA-2024:5025 0 None None None 2024-08-06 10:49:20 UTC
Red Hat Product Errata RHSA-2024:5693 0 None None None 2024-08-21 11:51:36 UTC
Red Hat Product Errata RHSA-2024:5694 0 None None None 2024-08-21 11:48:37 UTC
Red Hat Product Errata RHSA-2024:5695 0 None None None 2024-08-21 11:49:26 UTC
Red Hat Product Errata RHSA-2024:5696 0 None None None 2024-08-21 11:54:02 UTC

Description OSIDB Bzimport 2024-07-03 20:41:16 UTC
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.

Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

Comment 4 errata-xmlrpc 2024-08-06 10:49:19 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2024:5025 https://access.redhat.com/errata/RHSA-2024:5025

Comment 5 errata-xmlrpc 2024-08-06 10:49:42 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.8 on RHEL 7
  Red Hat JBoss Web Server 5.8 on RHEL 8
  Red Hat JBoss Web Server 5.8 on RHEL 9

Via RHSA-2024:5024 https://access.redhat.com/errata/RHSA-2024:5024

Comment 6 errata-xmlrpc 2024-08-06 11:07:18 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2024:4977 https://access.redhat.com/errata/RHSA-2024:4977

Comment 7 errata-xmlrpc 2024-08-06 11:07:46 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 6.0 on RHEL 8
  Red Hat JBoss Web Server 6.0 on RHEL 9

Via RHSA-2024:4976 https://access.redhat.com/errata/RHSA-2024:4976

Comment 10 errata-xmlrpc 2024-08-21 11:48:36 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:5694 https://access.redhat.com/errata/RHSA-2024:5694

Comment 11 errata-xmlrpc 2024-08-21 11:49:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:5695 https://access.redhat.com/errata/RHSA-2024:5695

Comment 12 errata-xmlrpc 2024-08-21 11:51:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:5693 https://access.redhat.com/errata/RHSA-2024:5693

Comment 13 errata-xmlrpc 2024-08-21 11:54:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:5696 https://access.redhat.com/errata/RHSA-2024:5696

Comment 14 Alicent Hightower 2024-09-11 04:01:31 UTC
The best way to address this vulnerability is to update your Apache Tomcat installation to the latest https://block-blast.io version.

Comment 15 bonitacaily 2024-09-30 09:07:03 UTC
Thank you for providing very useful information! Play game https://smashy-road.io free.


Note You need to log in before you can comment on or make changes to this bug.