CVE-2024-34750

03.07.2024, 20:15

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.

Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
apache	CNA	---				---
CISA-ADP	ADP	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 95%

Vendor	Product	Version
apache	tomcat	9.0.0 ≤ 𝑥 < 9.0.90
apache	tomcat	10.1.0 ≤ 𝑥 < 10.1.25
apache	tomcat	11.0.0:milestone1
apache	tomcat	11.0.0:milestone10
apache	tomcat	11.0.0:milestone11
apache	tomcat	11.0.0:milestone12
apache	tomcat	11.0.0:milestone13
apache	tomcat	11.0.0:milestone14
apache	tomcat	11.0.0:milestone15
apache	tomcat	11.0.0:milestone16
apache	tomcat	11.0.0:milestone17
apache	tomcat	11.0.0:milestone18
apache	tomcat	11.0.0:milestone19
apache	tomcat	11.0.0:milestone2
apache	tomcat	11.0.0:milestone20
apache	tomcat	11.0.0:milestone3
apache	tomcat	11.0.0:milestone4
apache	tomcat	11.0.0:milestone5
apache	tomcat	11.0.0:milestone6
apache	tomcat	11.0.0:milestone7
apache	tomcat	11.0.0:milestone8
apache	tomcat	11.0.0:milestone9

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

tomcat10

bookworm	10.1.34-0+deb12u2 fixed
bookworm (security)	10.1.34-0+deb12u2 fixed
bullseye	postponed
trixie	10.1.40-1 fixed
sid	10.1.40-1 fixed

tomcat9

bullseye	postponed
bullseye (security)	vulnerable
bookworm	9.0.70-2 fixed
trixie	9.0.95-1 fixed
sid	9.0.95-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

tomcat10

plucky	not-affected
oracular	not-affected
noble	Fixed 10.1.16-1ubuntu0.1~esm2 released
mantic	ignored
jammy	dne
focal	dne

tomcat6

plucky	dne
oracular	dne
noble	dne
mantic	dne
jammy	dne
focal	dne
xenial	needs-triage
trusty	needs-triage

tomcat7

plucky	dne
oracular	dne
noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

tomcat8

plucky	dne
oracular	dne
noble	dne
mantic	dne
jammy	dne
focal	dne
bionic	needs-triage
xenial	needs-triage

tomcat9

plucky	Fixed 9.0.70-2ubuntu1.25.04.2 released
oracular	Fixed 9.0.70-2ubuntu1.24.10.2 released
noble	Fixed 9.0.70-2ubuntu0.1+esm2 released
mantic	ignored
jammy	Fixed 9.0.58-1ubuntu0.2+esm3 released
focal	ignored
bionic	ignored

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l

https://security.netapp.com/advisory/ntap-20240816-0004/