Denial of Service : Apache Tomcat DoS Vulnerability (Jun 2019)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.107014

Categoría: Denial of Service

Título: Apache Tomcat DoS Vulnerability (Jun 2019) - Linux

Resumen: Apache Tomcat is prone to a denial of service vulnerability in the HTTP/2; implementation.

Descripción: Summary:
Apache Tomcat is prone to a denial of service vulnerability in the HTTP/2
implementation.

Vulnerability Insight:
The HTTP/2 implementation accepts streams with excessive numbers of SETTINGS
frames and also permitts clients to keep streams open without reading/writing request/response data. By keeping
streams open for requests that utilises the Servlet API's blocking I/O, clients are able to cause server-side
threads to block eventually leading to thread exhaustion and a DoS.

Affected Software/OS:
Apache Tomcat 8.5.0 to 8.5.40 and 9.0.0.M1 to 9.0.19.

Solution:
Update to version 8.5.41, 9.0.20 or later.

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2019-10072
BugTraq ID: 108874
http://www.securityfocus.com/bid/108874
https://security.netapp.com/advisory/ntap-20190625-0002/
https://support.f5.com/csp/article/K17321505
https://www.synology.com/security/advisory/Synology_SA_19_29
Debian Security Information: DSA-4680 (Google Search)
https://www.debian.org/security/2020/dsa-4680
https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E
https://www.oracle.com/security-alerts/cpuApr2021.html
https://www.oracle.com/security-alerts/cpuapr2020.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
RedHat Security Advisories: RHSA-2019:3929
https://access.redhat.com/errata/RHSA-2019:3929
RedHat Security Advisories: RHSA-2019:3931
https://access.redhat.com/errata/RHSA-2019:3931
SuSE Security Announcement: openSUSE-SU-2020:0038 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html
https://usn.ubuntu.com/4128-1/
https://usn.ubuntu.com/4128-2/

Copyright Copyright (C) 2019 Greenbone AG

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.107014
Categoría:	Denial of Service
Título:	Apache Tomcat DoS Vulnerability (Jun 2019) - Linux
Resumen:	Apache Tomcat is prone to a denial of service vulnerability in the HTTP/2; implementation.
Descripción:	Summary: Apache Tomcat is prone to a denial of service vulnerability in the HTTP/2 implementation. Vulnerability Insight: The HTTP/2 implementation accepts streams with excessive numbers of SETTINGS frames and also permitts clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilises the Servlet API's blocking I/O, clients are able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. Affected Software/OS: Apache Tomcat 8.5.0 to 8.5.40 and 9.0.0.M1 to 9.0.19. Solution: Update to version 8.5.41, 9.0.20 or later. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2019-10072 BugTraq ID: 108874 http://www.securityfocus.com/bid/108874 https://security.netapp.com/advisory/ntap-20190625-0002/ https://support.f5.com/csp/article/K17321505 https://www.synology.com/security/advisory/Synology_SA_19_29 Debian Security Information: DSA-4680 (Google Search) https://www.debian.org/security/2020/dsa-4680 https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E https://www.oracle.com/security-alerts/cpuApr2021.html https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com/security-alerts/cpujan2020.html https://www.oracle.com/security-alerts/cpuoct2020.html https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E RedHat Security Advisories: RHSA-2019:3929 https://access.redhat.com/errata/RHSA-2019:3929 RedHat Security Advisories: RHSA-2019:3931 https://access.redhat.com/errata/RHSA-2019:3931 SuSE Security Announcement: openSUSE-SU-2020:0038 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html https://usn.ubuntu.com/4128-1/ https://usn.ubuntu.com/4128-2/
Copyright	Copyright (C) 2019 Greenbone AG