Skip to main content

CVE-2019-0199

Severity

7.5

Description

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Project

Apache Tomcat

Apache TomEE

Category
DoS
Tags
data
Date Disclosed

2019-04-10

Date Discovered

2018-11-14

Apache Tomcat 9.0.x

First release:
2018-01-18
CVEs:
41
Support Lifecycle:
Namespace:
javax

Apache TomEE 7.1.x

First release:
2018-09-02
CVEs:
68
Support Lifecycle:
Namespace:
javax

Apache TomEE 7.0.x

First release:
2016-05-17
CVEs:
100
Support Lifecycle:
Namespace:
javax
Feel Vulnerable? 

Contact us so we can help you.

* These fields are required.