The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write. By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. References: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.20 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.41 http://mail-archives.us.apache.org/mod_mbox/www-announce/201906.mbox/%3Cca69531a-1592-be7b-60ce-729549c7f812%40apache.org%3E Upstream commits: Tomcat 9.0: https://github.com/apache/tomcat/commit/7f748eb https://github.com/apache/tomcat/commit/ada725a Tomcat 8.5 https://github.com/apache/tomcat/commit/0bcd69c https://github.com/apache/tomcat/commit/8d14c6f
Created tomcat tracking bugs for this issue: Affects: epel-all [bug 1723711]
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1723712]
External References: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.20 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.41
Mitigation: pki-servlet-container does not use HTTP/2 in its default configuration.
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2019:3931 https://access.redhat.com/errata/RHSA-2019:3931
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.2 on RHEL 7 Red Hat JBoss Web Server 5.2 on RHEL 6 Red Hat JBoss Web Server 5.2 on RHEL 8 Via RHSA-2019:3929 https://access.redhat.com/errata/RHSA-2019:3929
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10072