Apache patches Tomcat HTTP/2 DoS vulnerability

Tomcat HTTP/2 DoS vulnerability

The Apache Software Foundation has released new Apache Tomcat security updates to address an HTTP/2 Denial of Service (DoS) vulnerability.

A remote attacker could exploit the Apache HTTP/2 DoS vulnerability CVE-2019-10072 and cause a denial of service condition if left unpatched.

Apache provided a brief description of the vulnerability in a recent security advisory:

“The fix for CVE-2019-0199 was incomplete and did not address connection window exhaustion on write. By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.”

The vulnerability is rated Important and should be patched as soon as possible via any of the following mitigations:

  • For versions Apache Tomcat 9.0.0.M1 to 9.0.19, upgrade to Apache Tomcat 9.0.20 or later.
  • For versions of Apache Tomcat 8.5.0 to 8.5.40, upgrade to Apache Tomcat 8.5.41 or later.

Apache also credited John Simpson of Trend Micro Security Research, working with Trend Micro’s Zero Day Initiative, in discovering the vulnerability.

See the full Apache security advisory for more details and related articles.