Short Name |
HTTP:APACHE:TOMCAT-HTTP2-DOS
|
Severity |
Major
|
Recommended |
Yes
|
Recommended Action |
Drop
|
Category |
HTTP
|
Keywords |
Apache Tomcat HTTP2 Connection Window Exhaustion Denial of Service
|
Release Date |
2019/07/14
|
Update Number |
3189
|
Supported Platforms |
srx-17.3+, srx-branch-17.4+, vsrx-15.1+, vsrx3bsd-18.2+
|
HTTP: Apache Tomcat HTTP2 Connection Window Exhaustion Denial of Service
This signature detects attempts to exploit a known vulnerability against HTTP/2 module of Apache Tomcat. A successful attack can result in a denial-of-service condition.
Extended Description
The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
Affected Products
- Apache tomcat 8.5.0
- Apache tomcat 8.5.1
- Apache tomcat 8.5.10
- Apache tomcat 8.5.11
- Apache tomcat 8.5.12
- Apache tomcat 8.5.13
- Apache tomcat 8.5.14
- Apache tomcat 8.5.15
- Apache tomcat 8.5.16
- Apache tomcat 8.5.17
- Apache tomcat 8.5.18
- Apache tomcat 8.5.19
- Apache tomcat 8.5.2
- Apache tomcat 8.5.20
- Apache tomcat 8.5.21
- Apache tomcat 8.5.22
- Apache tomcat 8.5.23
- Apache tomcat 8.5.24
- Apache tomcat 8.5.25
- Apache tomcat 8.5.26
- Apache tomcat 8.5.27
- Apache tomcat 8.5.28
- Apache tomcat 8.5.29
- Apache tomcat 8.5.3
- Apache tomcat 8.5.30
- Apache tomcat 8.5.31
- Apache tomcat 8.5.32
- Apache tomcat 8.5.33
- Apache tomcat 8.5.34
- Apache tomcat 8.5.35
- Apache tomcat 8.5.36
- Apache tomcat 8.5.37
- Apache tomcat 8.5.38
- Apache tomcat 8.5.39
- Apache tomcat 8.5.4
- Apache tomcat 8.5.40
- Apache tomcat 8.5.5
- Apache tomcat 8.5.6
- Apache tomcat 8.5.7
- Apache tomcat 8.5.8
- Apache tomcat 8.5.9
- Apache tomcat 9.0.0
- Apache tomcat 9.0.1
- Apache tomcat 9.0.10
- Apache tomcat 9.0.11
- Apache tomcat 9.0.12
- Apache tomcat 9.0.13
- Apache tomcat 9.0.14
- Apache tomcat 9.0.15
- Apache tomcat 9.0.16
- Apache tomcat 9.0.17
- Apache tomcat 9.0.19
- Apache tomcat 9.0.2
- Apache tomcat 9.0.3
- Apache tomcat 9.0.4
- Apache tomcat 9.0.5
- Apache tomcat 9.0.6
- Apache tomcat 9.0.7
- Apache tomcat 9.0.8
- Apache tomcat 9.0.9
References