oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2024-38286: Apache Tomcat: Denial of Service

From: Mark Thomas <markt () apache org>
Date: Mon, 23 Sep 2024 13:59:43 +0100
Affected versions:

- Apache Tomcat 11.0.0-M1 through 11.0.0-M20
- Apache Tomcat 10.1.0-M1 through 10.1.24
- Apache Tomcat 9.0.13 through 9.0.89

Description:
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected.
Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue.
Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process. 

Credit:

Ozaki, North Grid Corporation (reporter)

References:

https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2024-38286

Timeline:

2024-06-04: Issue reported to Apache Tomcat Security Team
Previous By Date Next
Previous By Thread Next

Current thread: