Menu
Deepen energy metering, focus on intelligent and digital energy management, empower utilities to double carbon revolution, and provide the world's leading smart energy management solutions.
+ 86-28-65706888
  • Add:
    No. 99 Tianquan Rd., Hi-Tech Development Zone, Chengdu, P.R.C.

Scan the WeChat QR code

Welcome to the official website!
Innovation
Brings a Better Life
Language
2025.01.21
About Apache Tomcat Denial of Service Vulnerability

Alert number: KAIFA-KSIRT-202 4 07- 1 1
Published : 2024/7/11
and published: 2024/7/1 1

1. Vulnerability Overview

Apache Tomcat is an open source Java Servlet container that is widely used to run Java web applications.

Recently, it was monitored that the official patched the Apache Tomcat HTTP/2 denial of service vulnerability (CVE-2024-34750), which is a denial of service vulnerability , which allows infinite timeout when processing the request and fails to close the connection that should have been terminated.

Affected users are advised to conduct self-inspection of their assets and take preventive measures to avoid hacker attacks.

2. Versions and fixes

Affected Products

Patched version

Affected versions

Tomcat

Apache Tomcat 11.0.0-M21

9.0.0-M1 <= Apache Tomcat <= 9.0.89

Tomcat

Apache Tomcat 10.1.25

10.1.0-M1 <= Apache Tomcat <= 10.1.24

Tomcat

Apache Tomcat 9.0.90

11.0.0-M1 <= Apache Tomcat <= 11.0.0-M20

III. Impact and Consequences

The request allowed an infinite timeout and failed to close the connection that should have been terminated.

Vulnerability Scoring

Vulnerability using KAIFA AMI scoring rules for grading

Final score: 7.5

V. Technical Details

Prerequisites for exploiting the vulnerability: Apache Tomcat when processing HTTP/2 streams.

Vulnerability details:

Recently, we detected that the official patch for the Apache Tomcat HTTP/2 Denial of Service vulnerability (CVE-2024-34750) was released. This is a denial of service vulnerability. When processing HTTP/2 streams, Apache Tomcat failed to properly handle certain abnormal HTTP headers, resulting in an HTTP/2 stream count error. This allowed an infinite timeout when processing the request, and prevented the connection from being closed.

6. Circumvention Measures

none

7. Version acquisition path

Services that support automatic updates will receive system update prompts, and users can perform system updates to fix the vulnerabilities. Or they can manually download official website plug-ins to update and fix the vulnerabilities.

8. Vulnerability Source

Supplier notification

IX. Update Records

KAIFA-KSIRT-Initial

10. FAQs

none

11. Developing external security response services

K AIFA has always advocated doing its utmost to protect the ultimate interests of product users, following the principle of responsible disclosure of security incidents, and handling product safety issues through the product safety issue handling mechanism.

12. Statement

This document is provided "as is" without any express, implied or statutory warranty, including (but not limited to) the warranty of merchantability, fitness for purpose and non-infringement. In no event shall K AIFA or its directly or indirectly controlled subsidiaries, or its suppliers, be liable for any loss, including direct, indirect, incidental, consequential loss of business profits or special damages. You shall bear all legal liabilities arising from the use of this document in any way. K AIFA may modify or update the content and information contained in this document at any time.