CVE-2024-38286

Apache Tomcat: Denial of Service

Severity Score

8.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected.

Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue.

Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

Vulnerabilidad de asignación de recursos sin límites o limitación de recursos en Apache Tomcat. Este problema afecta a Apache Tomcat: desde la versión 11.0.0-M1 hasta la 11.0.0-M20, desde la versión 10.1.0-M1 hasta la 10.1.24, desde la versión 9.0.13 hasta la 9.0.89. También pueden verse afectadas versiones anteriores no compatibles. Se recomienda a los usuarios que actualicen a la versión 11.0.0-M21, 10.1.25 o 9.0.90, que soluciona el problema. Apache Tomcat, en determinadas configuraciones de cualquier plataforma, permite a un atacante provocar un error OutOfMemoryError abusando del proceso de enlace TLS.

A vulnerability was found in Tomcat. Under certain configurations on any platform, this flaw allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

*Credits: Ozaki, North Grid Corporation

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-06-12 CVE Reserved
2024-10-30 CVE Published
2024-11-07 CVE Updated
2024-11-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption
CWE-770: Allocation of Resources Without Limits or Throttling

CAPEC

References (3)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.apache.org/thread/wms60cvbsz3fpbz9psxtfx8r41jl6d4s	2024-11-07
https://access.redhat.com/security/cve/CVE-2024-38286	2024-10-29
https://bugzilla.redhat.com/show_bug.cgi?id=2314686	2024-10-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat"				>= 11.0.0-M1 <= 11.0.0-M20 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 11.0.0-M1 <= 11.0.0-M20"		en		Affected
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat"				>= 10.1.0-M1 <= 10.1.24 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 10.1.0-M1 <= 10.1.24"		en		Affected
Apache Software Foundation Search vendor "Apache Software Foundation"		Apache Tomcat Search vendor "Apache Software Foundation" for product "Apache Tomcat"				>= 9.0.13 <= 9.0.89 Search vendor "Apache Software Foundation" for product "Apache Tomcat" and version " >= 9.0.13 <= 9.0.89"		en		Affected