CVE-2019-10072

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 98%
Affected Products (NVD)
VendorProductVersion
apachetomcat
8.5.0 ≤
𝑥
≤ 8.5.40
apachetomcat
9.0.1 ≤
𝑥
≤ 9.0.19
apachetomcat
9.0.0:milestone1
apachetomcat
9.0.0:milestone10
apachetomcat
9.0.0:milestone11
apachetomcat
9.0.0:milestone12
apachetomcat
9.0.0:milestone13
apachetomcat
9.0.0:milestone14
apachetomcat
9.0.0:milestone15
apachetomcat
9.0.0:milestone16
apachetomcat
9.0.0:milestone17
apachetomcat
9.0.0:milestone18
apachetomcat
9.0.0:milestone19
apachetomcat
9.0.0:milestone2
apachetomcat
9.0.0:milestone20
apachetomcat
9.0.0:milestone21
apachetomcat
9.0.0:milestone22
apachetomcat
9.0.0:milestone23
apachetomcat
9.0.0:milestone24
apachetomcat
9.0.0:milestone25
apachetomcat
9.0.0:milestone26
apachetomcat
9.0.0:milestone27
apachetomcat
9.0.0:milestone3
apachetomcat
9.0.0:milestone4
apachetomcat
9.0.0:milestone5
apachetomcat
9.0.0:milestone6
apachetomcat
9.0.0:milestone7
apachetomcat
9.0.0:milestone8
apachetomcat
9.0.0:milestone9
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat9
bookworm
9.0.70-2
fixed
bullseye
9.0.43-2~deb11u10
fixed
bullseye (security)
9.0.43-2~deb11u10
fixed
jessie
not-affected
sid
9.0.95-1
fixed
stretch
not-affected
trixie
9.0.95-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat8
bionic
Fixed 8.5.39-1ubuntu1~18.04.3
released
cosmic
ignored
disco
dne
trusty
dne
xenial
not-affected
tomcat9
bionic
Fixed 9.0.16-3ubuntu0.18.04.1
released
cosmic
ignored
disco
Fixed 9.0.16-3ubuntu0.19.04.1
released
trusty
dne
xenial
dne
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
tomcat
suse enterprise sap 12 SP4
9.0.31-3.25.1
fixed
suse enterprise sap 12 SP5
9.0.31-3.25.1
fixed
suse enterprise sap 15
9.0.30-3.34.1
fixed
suse enterprise sap 15 SP1
9.0.30-4.10.1
fixed
suse enterprise server 12 SP4
9.0.31-3.25.1
fixed
suse enterprise server 12 SP5
9.0.31-3.25.1
fixed
suse enterprise server 15
9.0.30-3.34.1
fixed
suse enterprise server 15 SP1
9.0.30-4.10.1
fixed
tomcat-admin-webapps
suse enterprise sap 12 SP4
9.0.31-3.25.1
fixed
suse enterprise sap 12 SP5
9.0.31-3.25.1
fixed
suse enterprise sap 15
9.0.30-3.34.1
fixed
suse enterprise sap 15 SP1
9.0.30-4.10.1
fixed
suse enterprise server 12 SP4
9.0.31-3.25.1
fixed
suse enterprise server 12 SP5
9.0.31-3.25.1
fixed
suse enterprise server 15
9.0.30-3.34.1
fixed
suse enterprise server 15 SP1
9.0.30-4.10.1
fixed
tomcat-docs-webapp
suse enterprise sap 12 SP4
9.0.31-3.25.1
fixed
suse enterprise sap 12 SP5
9.0.31-3.25.1
fixed
suse enterprise server 12 SP4
9.0.31-3.25.1
fixed
suse enterprise server 12 SP5
9.0.31-3.25.1
fixed
tomcat-el-3_0-api
suse enterprise sap 12 SP4
9.0.31-3.25.1
fixed
suse enterprise sap 12 SP5
9.0.31-3.25.1
fixed
suse enterprise sap 15
9.0.30-3.34.1
fixed
suse enterprise sap 15 SP1
9.0.30-4.10.1
fixed
suse enterprise server 12 SP4
9.0.31-3.25.1
fixed
suse enterprise server 12 SP5
9.0.31-3.25.1
fixed
suse enterprise server 15
9.0.30-3.34.1
fixed
suse enterprise server 15 SP1
9.0.30-4.10.1
fixed
tomcat-javadoc
suse enterprise sap 12 SP4
9.0.31-3.25.1
fixed
suse enterprise sap 12 SP5
9.0.31-3.25.1
fixed
suse enterprise server 12 SP4
9.0.31-3.25.1
fixed
suse enterprise server 12 SP5
9.0.31-3.25.1
fixed
tomcat-jsp-2_3-api
suse enterprise sap 12 SP4
9.0.31-3.25.1
fixed
suse enterprise sap 12 SP5
9.0.31-3.25.1
fixed
suse enterprise sap 15
9.0.30-3.34.1
fixed
suse enterprise sap 15 SP1
9.0.30-4.10.1
fixed
suse enterprise server 12 SP4
9.0.31-3.25.1
fixed
suse enterprise server 12 SP5
9.0.31-3.25.1
fixed
suse enterprise server 15
9.0.30-3.34.1
fixed
suse enterprise server 15 SP1
9.0.30-4.10.1
fixed
tomcat-lib
suse enterprise sap 12 SP4
9.0.31-3.25.1
fixed
suse enterprise sap 12 SP5
9.0.31-3.25.1
fixed
suse enterprise sap 15
9.0.30-3.34.1
fixed
suse enterprise sap 15 SP1
9.0.30-4.10.1
fixed
suse enterprise server 12 SP4
9.0.31-3.25.1
fixed
suse enterprise server 12 SP5
9.0.31-3.25.1
fixed
suse enterprise server 15
9.0.30-3.34.1
fixed
suse enterprise server 15 SP1
9.0.30-4.10.1
fixed
tomcat-servlet-4_0-api
suse enterprise sap 12 SP4
9.0.31-3.25.1
fixed
suse enterprise sap 12 SP5
9.0.31-3.25.1
fixed
suse enterprise sap 15
9.0.30-3.34.1
fixed
suse enterprise sap 15 SP1
9.0.30-4.10.1
fixed
suse enterprise server 12 SP4
9.0.31-3.25.1
fixed
suse enterprise server 12 SP5
9.0.31-3.25.1
fixed
suse enterprise server 15
9.0.30-3.34.1
fixed
suse enterprise server 15 SP1
9.0.30-4.10.1
fixed
tomcat-webapps
suse enterprise sap 12 SP4
9.0.31-3.25.1
fixed
suse enterprise sap 12 SP5
9.0.31-3.25.1
fixed
suse enterprise sap 15
9.0.30-3.34.1
fixed
suse enterprise sap 15 SP1
9.0.30-4.10.1
fixed
suse enterprise server 12 SP4
9.0.31-3.25.1
fixed
suse enterprise server 12 SP5
9.0.31-3.25.1
fixed
suse enterprise server 15
9.0.30-3.34.1
fixed
suse enterprise server 15 SP1
9.0.30-4.10.1
fixed
Common Weakness Enumeration
References
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html
http://www.securityfocus.com/bid/108874
https://access.redhat.com/errata/RHSA-2019:3929
https://access.redhat.com/errata/RHSA-2019:3931
https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
https://security.netapp.com/advisory/ntap-20190625-0002/
https://support.f5.com/csp/article/K17321505
https://usn.ubuntu.com/4128-1/
https://usn.ubuntu.com/4128-2/
https://www.debian.org/security/2020/dsa-4680
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.synology.com/security/advisory/Synology_SA_19_29
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html
http://www.securityfocus.com/bid/108874
https://access.redhat.com/errata/RHSA-2019:3929
https://access.redhat.com/errata/RHSA-2019:3931
https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3Cannounce.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
https://security.netapp.com/advisory/ntap-20190625-0002/
https://support.f5.com/csp/article/K17321505
https://usn.ubuntu.com/4128-1/
https://usn.ubuntu.com/4128-2/
https://www.debian.org/security/2020/dsa-4680
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://www.synology.com/security/advisory/Synology_SA_19_29