CVE-2024-34750

Apache Tomcat: HTTP/2 excess header handling DoS

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.

Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

Manejo inadecuado de condiciones excepcionales, vulnerabilidad de consumo incontrolado de recursos en Apache Tomcat. Al procesar una secuencia HTTP/2, Tomcat no manejó correctamente algunos casos de encabezados HTTP excesivos. Esto llevó a un conteo erróneo de flujos HTTP/2 activos que a su vez llevó al uso de un tiempo de espera infinito incorrecto que permitió que las conexiones permanecieran abiertas y que deberían haberse cerrado. Este problema afecta a Apache Tomcat: desde 11.0.0-M1 hasta 11.0.0-M20, desde 10.1.0-M1 hasta 10.1.24, desde 9.0.0-M1 hasta 9.0.89. Se recomienda a los usuarios actualizar a la versión 11.0.0-M21, 10.1.25 o 9.0.90, que soluciona el problema.

A vulnerability was found in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This issue led to a miscounting of active HTTP/2 streams, which in turn led to using an incorrect infinite timeout that allowed connections to remain open that should have been closed.

*Credits: devme4f from VNPT-VCI

CVSS Scores

CISAv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-05-08 CVE Reserved
2024-07-03 CVE Published
2024-07-04 EPSS Updated
2024-08-16 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-755: Improper Handling of Exceptional Conditions

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/4kqf0bc9gxymjc2x7v3p7dvplnl77y8l	2024-07-09
https://access.redhat.com/security/cve/CVE-2024-34750	2024-08-21
https://bugzilla.redhat.com/show_bug.cgi?id=2295651	2024-08-21

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat"				>= 11.0.0-M1 <= 11.0.0-M20 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 11.0.0-M1 <= 11.0.0-M20"		en		Affected
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat"				>= 10.1.0-M1 <= 10.1.24 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 10.1.0-M1 <= 10.1.24"		en		Affected
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat"				>= 9.0.0-M1 <= 9.0.89 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 9.0.0-M1 <= 9.0.89"		en		Affected