tomcat-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject HTTP/2 DoS issues announced today - Impact for Apache Tomcat
Date Tue, 13 Aug 2019 17:48:35 GMT
Today Netflix has published a report highlighting various potential DoS
attacks against HTTP/2 implementations [1].

No immediate action is required for Tomcat users since none of the
described attacks result in a DoS with Apache Tomcat.

The Tomcat Security Team has reviewed the impact on Tomcat of each of
these attacks. The load generated by the attacks is comparable to the
load generated by a similar amount of valid client traffic. Therefore,
these requests are not viewed as a DoS by the Tomcat Security Team. We
did look a little harder at the CVE-2019-9513 "Resource Loop" attack as
came closest to exceeding the load generated by valid traffic.

While we do not consider the described attacks to represent a DoS for
Apache Tomcat, they do all represent abusive client behaviour. In
response to these reports we will be expanding the overhead protection
already in place to detect these abusive behaviours and to close the
connection when they are detected.

The expanded overhead detection will be configurable, including the
option to disable it. The configuration will be provided with what we
consider to be reasonable defaults although there is the possibility
that these defaults will be adjusted based on user feedback in future
versions.

This additional protection will be in the next releases of 9.0.x and
8.5.x, currently expected to be 9.0.23 and 8.5.44. The release process
for these versions is expected to start later today.

Mark
on behalf of the Tomcat Security Team




[1]
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md

Mime
View raw message