Overview
Apache Tomcat is an open-source web server and servlet container developed by the Apache Software Foundation. It implements several Java Enterprise Edition (Java EE) specifications including Java Servlet, JavaServer Pages (JSP), and WebSocket, allowing it to run Java web applications. Tomcat is widely used in both development and production environments due to its lightweight nature, ease of configuration, and compatibility with various Java applications.
An HTTP/2 request and response object recycling and reuse vulnerability (CVE-2024-52317) has been identified in Apache Tomcat. Incorrect recycling of the request and response objects used by HTTP/2 requests could lead to request and/or response mix-up between users.
Improper recycling and reuse of HTTP response objects in Java can lead to resource leaks, data exposure, and other unexpected behavior.
This issue affects multiple versions of Apache Tomcat.
Details
Module Info
- Product: Apache Tomcat
- Affected packages: tomcat-embed-core, tomcat-coyote
- Affected versions: >=9.0.92 <9.0.96, >=10.1.27 <10.1.31, >=11.0.0-M23 <11.0.0
- GitHub repository: https://github.com/apache/tomcat
- Published packages:
- Package manager: Maven
- Fixed in: 9.0.96, 10.1.31, 11.0.0
Vulnerability Info
This vulnerability arises from improper handling of HTTP/2 request and response objects, potentially leading to unintended mixing of requests and responses between users. This could result in the leakage of sensitive information, such as session cookies or tokens, between users.
Mitigation
Only recent versions of Apache Tomcat are community-supported. The community support version will not receive any updates to address this issue. For more information, see here.
Users of the affected components should apply one of the following mitigations:
- Upgrade to a patched version of Apache Tomcat.
Leverage a commercial support partner like HeroDevs for post-EOL security support.
Credit
- Tomcat security team
