By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-38286

Denial of Service
Affects
Apache Tomcat
in
Apache Tomcat
No items found.
Versions
>=9.0.13 <9.0.90, >=10.1.0-M1 <10.1.25, >=11.0.0-M1 <11.0.0.M21
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Apache Tomcat is an open-source web server and servlet container developed by the Apache Software Foundation. It implements several Java Enterprise Edition (Java EE) specifications including Java Servlet, JavaServer Pages (JSP), and WebSocket, allowing it to run Java web applications. Tomcat is widely used in both development and production environments due to its lightweight nature, ease of configuration, and compatibility with various Java applications. 

A Denial of Service (DoS) vulnerability (CVE-2024-38286) has been identified in Apache Tomcat. This vulnerability allows attackers to cause an OutOfMemoryError by abusing the TLS handshake process.

The Open Web Application Security Project (OWASP) explains that denial of service (DoS) attacks aim to make a service “unavailable for the purpose it was designed.” In this case the attacker can cause the server to run out of memory and become unable to function.

This issue affects multiple versions of Apache Tomcat below 11.0.0.M20

Details

Module Info

  • Product: Apache Tomcat
  • Affected packages: tomcat-util
  • Affected versions: >=9.0.13 <9.0.90, >=10.1.0-M1 <10.1.25, >=11.0.0-M1 <11.0.0.M21
  • GitHub repository: https://github.com/apache/tomcat
  • Package manager: Maven
  • Fixed in: 9.0.90, 10.1.25, and 11.0.0.M21

Vulnerability Info

This vulnerability can occur in affected versions of Apache Tomcat, under certain configurations and on any platform, when an attacker exploits the TLS handshake process to trigger OutOfMemoryError exceptions.

Mitigation

Only recent versions of Apache Tomcat are community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade to a patched version of Apache Tomcat.

Leverage a commercial support partner like HeroDevs for post-EOL security support.

Credit

  • Ozaki, North Grid Corporation
Pink arrow
Pink arrow
CVE-2024-34750
CVE-2024-38286
CVE-2024-50379
CVE-2024-52316
CVE-2024-52317
CVE-2024-54677
CVE-2024-56337
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-38286
PROJECT Affected
Apache Tomcat
Versions Affected
>=9.0.13 <9.0.90, >=10.1.0-M1 <10.1.25, >=11.0.0-M1 <11.0.0.M21
Published date
May 28, 2025
≈ Fix date
June 1, 2024
Fixed in
Apache Tomcat NES
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
Category
Denial of Service
Sign up for the latest vulnerability alerts fixed in
Apache Tomcat NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.