CVE-2024-38286

07.11.2024, 08:15

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89.

The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109.

Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue.

Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	8.6 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
apache	CNA	8.6 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 78%

Vendor	Product	Version
apache	tomcat	9.0.13 ≤ 𝑥 < 9.0.90
apache	tomcat	10.1.1 ≤ 𝑥 < 10.1.25
apache	tomcat	10.1.0:milestone1
apache	tomcat	10.1.0:milestone10
apache	tomcat	10.1.0:milestone11
apache	tomcat	10.1.0:milestone12
apache	tomcat	10.1.0:milestone13
apache	tomcat	10.1.0:milestone14
apache	tomcat	10.1.0:milestone15
apache	tomcat	10.1.0:milestone16
apache	tomcat	10.1.0:milestone17
apache	tomcat	10.1.0:milestone18
apache	tomcat	10.1.0:milestone19
apache	tomcat	10.1.0:milestone2
apache	tomcat	10.1.0:milestone20
apache	tomcat	10.1.0:milestone3
apache	tomcat	10.1.0:milestone4
apache	tomcat	10.1.0:milestone5
apache	tomcat	10.1.0:milestone6
apache	tomcat	10.1.0:milestone7
apache	tomcat	10.1.0:milestone8
apache	tomcat	10.1.0:milestone9
apache	tomcat	11.0.0:milestone1
apache	tomcat	11.0.0:milestone10
apache	tomcat	11.0.0:milestone11
apache	tomcat	11.0.0:milestone12
apache	tomcat	11.0.0:milestone13
apache	tomcat	11.0.0:milestone14
apache	tomcat	11.0.0:milestone15
apache	tomcat	11.0.0:milestone16
apache	tomcat	11.0.0:milestone17
apache	tomcat	11.0.0:milestone18
apache	tomcat	11.0.0:milestone19
apache	tomcat	11.0.0:milestone2
apache	tomcat	11.0.0:milestone20
apache	tomcat	11.0.0:milestone3
apache	tomcat	11.0.0:milestone4
apache	tomcat	11.0.0:milestone5
apache	tomcat	11.0.0:milestone6
apache	tomcat	11.0.0:milestone7
apache	tomcat	11.0.0:milestone8
apache	tomcat	11.0.0:milestone9

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

tomcat10

bookworm	10.1.34-0+deb12u2 fixed
bookworm (security)	10.1.34-0+deb12u2 fixed
forky	10.1.40-1 fixed
sid	10.1.40-1 fixed
trixie	10.1.40-1 fixed

tomcat9

bullseye	vulnerable
bullseye (security)	9.0.107-0+deb11u1 fixed
bookworm	9.0.70-2 fixed
forky	9.0.95-1 fixed
sid	9.0.95-1 fixed
trixie	9.0.95-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

tomcat6

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
xenial	not-affected
trusty	not-affected

tomcat7

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	not-affected
xenial	not-affected
trusty	not-affected

tomcat8

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needed
xenial	not-affected

tomcat10

plucky	not-affected
oracular	not-affected
noble	Fixed 10.1.16-1ubuntu0.1~esm2 released
jammy	dne
focal	dne

tomcat9

plucky	Fixed 9.0.70-2ubuntu1.25.04.2 released
oracular	Fixed 9.0.70-2ubuntu1.24.10.2 released
noble	Fixed 9.0.70-2ubuntu0.1+esm2 released
jammy	Fixed 9.0.58-1ubuntu0.2+esm3 released
focal	Fixed 9.0.31-1ubuntu0.9+esm2 released
bionic	Fixed 9.0.16-3ubuntu0.18.04.2+esm7 released

Common Weakness Enumeration

CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References

https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s

http://www.openwall.com/lists/oss-security/2024/09/23/2

https://security.netapp.com/advisory/ntap-20241101-0010/