tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: [EXTERNAL] [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
Date Thu, 20 Jun 2019 19:57:59 GMT
On 20/06/2019 20:35, Amit Pande wrote:
> Could you please clarify: 
> 
> Affected versions 8.5.0 to 8.5.40
> Mitigation says: 8.5.40 or later
> 
> What am I missing?

Nothing.
The affected versions are correct.
The mitigation is not. It should be 8.5.41 or later. I'll issue a
correction.

Thanks for pointing this out.

Mark


> 
> 
>> On Jun 20, 2019, at 2:25 PM, Mark Thomas <markt@apache.org> wrote:
>>
>> CVE-2019-10072 Apache Tomcat HTTP/2 DoS
>>
>> Severity: Important
>>
>> Vendor: The Apache Software Foundation
>>
>> Versions Affected:
>> Apache Tomcat 9.0.0.M1 to 9.0.19
>> Apache Tomcat 8.5.0 to 8.5.40
>>
>> Description:
>> The fix for CVE-2019-0199 was incomplete and did not address connection
>> window exhaustion on write. By not sending WINDOW_UPDATE messages for
>> the connection window (stream 0) clients were able
>> to cause server-side threads to block eventually leading to thread
>> exhaustion and a DoS.
>>
>> Mitigation:
>> Users of affected versions should apply one of the following mitigations:
>> - Upgrade to Apache Tomcat 9.0.20 or later
>> - Upgrade to Apache Tomcat 8.5.40 or later
>>
>> Credit:
>> John Simpson of Trend Micro Security Research working with Trend
>> Micro's Zero Day Initiative
>>
>> References:
>> [1] http://tomcat.apache.org/security-9.html
>> [2] http://tomcat.apache.org/security-8.html
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message