CVE-2024-23672
Apache Tomcat: WebSocket DoS with incomplete closing handshake
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
Denegación de servicio mediante vulnerabilidad de limpieza incompleta en Apache Tomcat. Los clientes de WebSocket podían mantener abiertas las conexiones de WebSocket, lo que generaba un mayor consumo de recursos. Este problema afecta a Apache Tomcat: desde 11.0.0-M1 hasta 11.0.0-M16, desde 10.1.0-M1 hasta 10.1.18, desde 9.0. 0-M1 hasta 9.0.85, desde 8.5.0 hasta 8.5.98. Se recomienda a los usuarios actualizar a la versión 11.0.0-M17, 10.1.19, 9.0.86 u 8.5.99, que solucionan el problema.
A denial of service (DoS) vulnerability present in the Apache Tomcat package arises from an incomplete cleanup process. Specifically, WebSocket clients can perpetuate WebSocket connections without proper termination, thereby causing a sustained drain on system resources. This vulnerability facilitates the exploitation of Apache Tomcat servers, leading to a scenario where excessive resource consumption occurs due to the prolonged existence of these open WebSocket connections. As a consequence, the server's performance may degrade significantly, resulting in potential service disruption or unresponsiveness.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-01-19 CVE Reserved
- 2024-03-13 CVE Published
- 2024-06-24 EPSS Updated
- 2024-08-01 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-459: Incomplete Cleanup
CAPEC
References (8)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/cmpswfx6tj4s7x0nxxosvfqs11lvdx2f | 2024-06-23 | |
| https://access.redhat.com/security/cve/CVE-2024-23672 | 2024-06-11 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2269608 | 2024-06-11 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat" | >= 11.0.0-M1 <= 11.0.0-M16 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 11.0.0-M1 <= 11.0.0-M16" | en |
Affected
| ||||||
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat" | >= 10.1.0-M1 <= 10.1.18 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 10.1.0-M1 <= 10.1.18" | en |
Affected
| ||||||
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat" | >= 9.0.0-M1 <= 9.0.85 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 9.0.0-M1 <= 9.0.85" | en |
Affected
| ||||||
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat" | >= 8.5.0 <= 8.5.98 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 8.5.0 <= 8.5.98" | en |
Affected
| ||||||