CVE-2024-34750
Apache Tomcat: HTTP/2 excess header handling DoS
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
Manejo inadecuado de condiciones excepcionales, vulnerabilidad de consumo incontrolado de recursos en Apache Tomcat. Al procesar una secuencia HTTP/2, Tomcat no manejó correctamente algunos casos de encabezados HTTP excesivos. Esto llevó a un conteo erróneo de flujos HTTP/2 activos que a su vez llevó al uso de un tiempo de espera infinito incorrecto que permitió que las conexiones permanecieran abiertas y que deberían haberse cerrado. Este problema afecta a Apache Tomcat: desde 11.0.0-M1 hasta 11.0.0-M20, desde 10.1.0-M1 hasta 10.1.24, desde 9.0.0-M1 hasta 9.0.89. Se recomienda a los usuarios actualizar a la versión 11.0.0-M21, 10.1.25 o 9.0.90, que soluciona el problema.
A vulnerability was found in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This issue led to a miscounting of active HTTP/2 streams, which in turn led to using an incorrect infinite timeout that allowed connections to remain open that should have been closed.
Red Hat JBoss Web Server 5.8.1 zip release is now available for Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, Red Hat Enterprise Linux 9, and Windows Server.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-05-08 CVE Reserved
- 2024-07-03 CVE Published
- 2024-08-16 CVE Updated
- 2025-03-31 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-755: Improper Handling of Exceptional Conditions
CAPEC
References (3)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l | 2024-07-09 | |
| https://access.redhat.com/security/cve/CVE-2024-34750 | 2024-08-21 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2295651 | 2024-08-21 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat" | >= 11.0.0-M1 <= 11.0.0-M20 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 11.0.0-M1 <= 11.0.0-M20" | en |
Affected
| ||||||
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat" | >= 10.1.0-M1 <= 10.1.24 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 10.1.0-M1 <= 10.1.24" | en |
Affected
| ||||||
| Apache Software Foundation Search vendor "Apache Software Foundation" | Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat" | >= 9.0.0-M1 <= 9.0.89 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 9.0.0-M1 <= 9.0.89" | en |
Affected
| ||||||