Skip to main content

Is Your Server Vulnerable?

Check Your Apache Version

Instantly verify your Apache server’s security and benefit from Tomitribe’s expertise in patching over 120+ CVEs on Tomcat, TomEE, and ActiveMQ to stay ahead of vulnerabilities

Select Your Server

Most Recent CVEs

CVE
Severity
Description
Category
Affected
CVE-2024-36124
2024-07-01
5.3
iq80 Snappy is a compression/decompression library. When uncompressing certain data, Snappy tries to read outside the bounds of the given byte arrays. Because Snappy uses the JDK class `sun.misc.Unsafe` to speed up memory access, no additional bounds checks are performed and this has similar security consequences as out-of-bounds access in C or C++, namely it can lead to non-deterministic behavior or crash the JVM. iq80 Snappy is not actively maintained anymore. As quick fix users can upgrade to version 0.5.
Details
CVE-2024-29131
2024-03-21
0.0
Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1, which fixes the issue.
Details
CVE-2024-28752
2024-03-08
0.0
A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.
datafunctional
CWE-918
Details
CVE-2024-24549
2024-01-25
0.0
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
dataoperational
CWE-20
Details
CVE-2024-23672
2024-01-19
0.0
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
dataoperational
CWE-459
Details
CVE-2024-21733
2024-01-01
3.1
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.
dataoperational
CWE-209
Details
CVE-2023-51775
2023-12-25
0.0
The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
data
n/a
Details
CVE-2023-46589
2023-10-23
7.5
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
dataoperational
CWE-444
Details
CVE-2023-33202
2023-05-18
5.5
Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)
data
n/a
Details
CVE-2023-46604
2023-10-24
10.0
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
dataoperational
CWE-502:
Details

Tomitribe Solutions

Explore Enterprise Support & Binary Subscriptions for Unrivaled Productivity & Performance Enhancements

Enterprise Support

Enterprise Support for Apache TomEE, Tomcat, & ActiveMQ

Our subscription provides unparalleled enterprise support directly from our senior developers contributing to Apache TomEE, Tomcat, & ActiveMQ. Benefit from our deep understanding and insight, ensuring your systems are secure, reliable, and ready to meet the challenges of your business

  • 24/7 support directly from Apache Committers
  • 1 hours response-time
  • Unlimited support incidents
  • Fast bug fixes & security patch turnaround
  • Production & Development support
  • CVE Patching
  • And much more
Get Support
New

Tomitribe Maintenance Binary Subscription

Enjoy timely updates, robust security vulnerability scanning, and prompt notifications tailored for a single version of Apache TomEE and or Tomcat, crucial for optimizing for specific products.

  • Robust security vulnerability scanning
  • Prompt notifications tailored for a single version of Apache TomEE and Tomcat
  • Internal use only
  • Unrestricted core access
  • Support not included
  • Subscription does not include vender products
  • 12 months Minimum Subscription Term
Get Patched

What Our Customers Are Saying

“It is very valuable for DFS to have a reliable partner to provision patches for the Open Source products in our production environments. We trust Tomitribe to provide us with security patches at short notice.”

Manfred KempfHead of AIS & IDP Systems at DFS Deutsche Flugsicherung

“Ridango's endorsement of Tomitribe demonstrates our commitment to maintaining a robust and secure infrastructure, with Tomitribe serving as a trusted partner for handling critical security updates.”

Ziga PodgrajsekHead of IT at Ridango AS
Scanned for Vulnerabilities lately?   

Contact us & see how we can help. 

* These fields are required.