Signature Detail

HTTP: Apache Tomcat HTTP2 Denial of Service

This signature detects attempts to exploit a known vulnerability against Apache Tomcat. A successful attack can result in a denial-of-service condition.

Extended Description

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Affected Products

• Apache tomcat 8.5.0
• Apache tomcat 8.5.1
• Apache tomcat 8.5.10
• Apache tomcat 8.5.11
• Apache tomcat 8.5.12
• Apache tomcat 8.5.13
• Apache tomcat 8.5.14
• Apache tomcat 8.5.15
• Apache tomcat 8.5.16
• Apache tomcat 8.5.17
• Apache tomcat 8.5.18
• Apache tomcat 8.5.19
• Apache tomcat 8.5.2
• Apache tomcat 8.5.20
• Apache tomcat 8.5.21
• Apache tomcat 8.5.22
• Apache tomcat 8.5.23
• Apache tomcat 8.5.24
• Apache tomcat 8.5.25
• Apache tomcat 8.5.26
• Apache tomcat 8.5.27
• Apache tomcat 8.5.28
• Apache tomcat 8.5.29
• Apache tomcat 8.5.3
• Apache tomcat 8.5.30
• Apache tomcat 8.5.31
• Apache tomcat 8.5.32
• Apache tomcat 8.5.33
• Apache tomcat 8.5.34
• Apache tomcat 8.5.35
• Apache tomcat 8.5.36
• Apache tomcat 8.5.37
• Apache tomcat 8.5.4
• Apache tomcat 8.5.5
• Apache tomcat 8.5.6
• Apache tomcat 8.5.7
• Apache tomcat 8.5.8
• Apache tomcat 8.5.9
• Apache tomcat 9.0.0
• Apache tomcat 9.0.1
• Apache tomcat 9.0.10
• Apache tomcat 9.0.11
• Apache tomcat 9.0.12
• Apache tomcat 9.0.13
• Apache tomcat 9.0.14
• Apache tomcat 9.0.2
• Apache tomcat 9.0.3
• Apache tomcat 9.0.4
• Apache tomcat 9.0.5
• Apache tomcat 9.0.6
• Apache tomcat 9.0.7
• Apache tomcat 9.0.8
• Apache tomcat 9.0.9

References

• CVE: CVE-2019-0199
• URL: https://tomcat.apache.org/security-8.html#fixed_in_apache_tomcat_8.5.38