By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2024-34750

Denial of Service

Affects

Apache Tomcat

Versions

>=9.0.0.M1 <9.0.90, >=10.1.0-M1 <10.1.25, >=11.0.0-M1 <11.0.0-M21

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Apache Tomcat is an open-source web server and servlet container developed by the Apache Software Foundation. It implements several Java Enterprise Edition (Java EE) specifications including Java Servlet, JavaServer Pages (JSP), and WebSocket, allowing it to run Java web applications. Tomcat is widely used in both development and production environments due to its lightweight nature, ease of configuration, and compatibility with various Java applications.

‍

A Denial of Service (DoS) vulnerability (CVE-2024-34750) has been identified in Apache Tomcat. This vulnerability allows attackers to exhaust the service of available connections and memory.

‍

The Open Web Application Security Project (OWASP) explains that denial of service (DoS) attacks aim to make a service “unavailable for the purpose it was designed.” In this case, Tomcat incorrectly handled some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.

‍

This issue affects multiple versions below 11.0.0-M21.

‍

Details

Module Info

Product: Apache Tomcat
Affected packages: tomcat-embed-core, tomcat-coyote
Affected versions: >=9.0.0.M1 <9.0.90, >=10.1.0-M1 <10.1.25, >=11.0.0-M1 <11.0.0-M21
GitHub repository: https://github.com/apache/tomcat

Published packages:
- https://central.sonatype.com/artifact/org.apache.tomcat.embed/tomcat-embed-core
- https://central.sonatype.com/artifact/org.apache.tomcat/tomcat-coyote

Package manager: Maven
Fixed in: 9.0.90, 10.1.25, and 11.0.0.M21

‍

Vulnerability Info

The vulnerability is triggered by sending an HTTP/2 request containing an excessive number of HTTP headers to a vulnerable Apache Tomcat server. This overwhelms the stream handler, resulting in incorrect stream counting and an infinite connection timeout. As a result, the server keeps these connections open indefinitely, unnecessarily consuming resources. Over time, these persistently open connections can exhaust the server's available connection pool or consume excessive memory, ultimately preventing the server from accepting new connections.

‍

Mitigation

Only recent versions of Apache Tomcat are community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

‍

Users of the affected components should apply one of the following mitigations: