Short Name |
HTTP:APACHE:CVE-2019-0199-DOS
|
Severity |
Minor
|
Recommended |
Yes
|
Recommended Action |
Drop
|
Category |
HTTP
|
Keywords |
Apache Tomcat HTTP2 Denial of Service
|
Release Date |
2019/06/04
|
Update Number |
3177
|
Supported Platforms |
srx-17.3+, srx-branch-17.4+, vsrx-15.1+, vsrx3bsd-18.2+
|
HTTP: Apache Tomcat HTTP2 Denial of Service
This signature detects attempts to exploit a known vulnerability against Apache Tomcat. A successful attack can result in a denial-of-service condition.
Extended Description
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
Affected Products
- Apache tomcat 8.5.0
- Apache tomcat 8.5.1
- Apache tomcat 8.5.10
- Apache tomcat 8.5.11
- Apache tomcat 8.5.12
- Apache tomcat 8.5.13
- Apache tomcat 8.5.14
- Apache tomcat 8.5.15
- Apache tomcat 8.5.16
- Apache tomcat 8.5.17
- Apache tomcat 8.5.18
- Apache tomcat 8.5.19
- Apache tomcat 8.5.2
- Apache tomcat 8.5.20
- Apache tomcat 8.5.21
- Apache tomcat 8.5.22
- Apache tomcat 8.5.23
- Apache tomcat 8.5.24
- Apache tomcat 8.5.25
- Apache tomcat 8.5.26
- Apache tomcat 8.5.27
- Apache tomcat 8.5.28
- Apache tomcat 8.5.29
- Apache tomcat 8.5.3
- Apache tomcat 8.5.30
- Apache tomcat 8.5.31
- Apache tomcat 8.5.32
- Apache tomcat 8.5.33
- Apache tomcat 8.5.34
- Apache tomcat 8.5.35
- Apache tomcat 8.5.36
- Apache tomcat 8.5.37
- Apache tomcat 8.5.4
- Apache tomcat 8.5.5
- Apache tomcat 8.5.6
- Apache tomcat 8.5.7
- Apache tomcat 8.5.8
- Apache tomcat 8.5.9
- Apache tomcat 9.0.0
- Apache tomcat 9.0.1
- Apache tomcat 9.0.10
- Apache tomcat 9.0.11
- Apache tomcat 9.0.12
- Apache tomcat 9.0.13
- Apache tomcat 9.0.14
- Apache tomcat 9.0.2
- Apache tomcat 9.0.3
- Apache tomcat 9.0.4
- Apache tomcat 9.0.5
- Apache tomcat 9.0.6
- Apache tomcat 9.0.7
- Apache tomcat 9.0.8
- Apache tomcat 9.0.9
References