Required CVE Record Information
Description
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
References 35 Total
- https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995%40%3Cannounce.tomcat.apache.org%3E
- lists.apache.org: [tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/ mailing-list
- lists.apache.org: [tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/ mailing-list
- lists.apache.org: [tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ mailing-list
- lists.apache.org: [tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ mailing-list
- https://security.netapp.com/advisory/ntap-20190419-0001/
- lists.apache.org: [tomee-commits] 20190528 [jira] [Closed] (TOMEE-2497) Upgrade Tomcat in TomEE 7.0.x/7.1.x/8.0.x for CVE-2019-0199 mailing-list
- lists.apache.org: [tomcat-users] 20190620 Re: [EXTERNAL] [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS mailing-list
- lists.apache.org: [tomcat-dev] 20190620 [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS mailing-list
- lists.apache.org: [announce] 20190620 [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS mailing-list
- lists.apache.org: [tomcat-announce] 20190620 [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS mailing-list
- lists.apache.org: [tomcat-dev] 20190620 svn commit: r1861711 - in /tomcat/site/trunk: docs/security-8.html docs/security-9.html xdocs/security-8.xml xdocs/security-9.xml mailing-list
- lists.apache.org: [tomcat-users] 20190620 [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS mailing-list
- lists.apache.org: [tomcat-dev] 20190620 [SECURITY][CORRECTION] CVE-2019-10072 Apache Tomcat HTTP/2 DoS mailing-list
- lists.apache.org: [tomcat-announce] 20190620 [SECURITY][CORRECTION] CVE-2019-10072 Apache Tomcat HTTP/2 DoS mailing-list
- lists.apache.org: [tomcat-users] 20190620 [SECURITY][CORRECTION] CVE-2019-10072 Apache Tomcat HTTP/2 DoS mailing-list
- lists.apache.org: [announce] 20190620 [SECURITY][CORRECTION] CVE-2019-10072 Apache Tomcat HTTP/2 DoS mailing-list
- lists.fedoraproject.org: FEDORA-2019-1a3f878d27 vendor-advisory
- https://support.f5.com/csp/article/K17321505
- lists.opensuse.org: openSUSE-SU-2019:1673 vendor-advisory
- lists.fedoraproject.org: FEDORA-2019-d66febb5df vendor-advisory
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- securityfocus.com: 107674 vdb-entry
- lists.opensuse.org: openSUSE-SU-2019:1723 vendor-advisory
- lists.opensuse.org: openSUSE-SU-2019:1808 vendor-advisory
- access.redhat.com: RHSA-2019:3929 vendor-advisory
- access.redhat.com: RHSA-2019:3931 vendor-advisory
- debian.org: DSA-4596 vendor-advisory
- seclists.org: 20191229 [SECURITY] [DSA 4596-1] tomcat8 security update mailing-list
- https://www.oracle.com/security-alerts/cpujan2020.html
- lists.apache.org: [tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/ mailing-list
- lists.apache.org: [tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/ mailing-list
- lists.apache.org: [tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/ mailing-list
- lists.apache.org: [tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/ mailing-list
- https://www.oracle.com/security-alerts/cpuapr2020.html
Updated:
This container includes required additional information provided by the CVE Program for this vulnerability.
References 35 Total
- https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995%40%3Cannounce.tomcat.apache.org%3E x_transferred
- lists.apache.org: [tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/ mailing-listx_transferred
- lists.apache.org: [tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/ mailing-listx_transferred
- lists.apache.org: [tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ mailing-listx_transferred
- lists.apache.org: [tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ mailing-listx_transferred
- https://security.netapp.com/advisory/ntap-20190419-0001/ x_transferred
- lists.apache.org: [tomee-commits] 20190528 [jira] [Closed] (TOMEE-2497) Upgrade Tomcat in TomEE 7.0.x/7.1.x/8.0.x for CVE-2019-0199 mailing-listx_transferred
- lists.apache.org: [tomcat-users] 20190620 Re: [EXTERNAL] [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS mailing-listx_transferred
- lists.apache.org: [tomcat-dev] 20190620 [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS mailing-listx_transferred
- lists.apache.org: [announce] 20190620 [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS mailing-listx_transferred
- lists.apache.org: [tomcat-announce] 20190620 [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS mailing-listx_transferred
- lists.apache.org: [tomcat-dev] 20190620 svn commit: r1861711 - in /tomcat/site/trunk: docs/security-8.html docs/security-9.html xdocs/security-8.xml xdocs/security-9.xml mailing-listx_transferred
- lists.apache.org: [tomcat-users] 20190620 [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS mailing-listx_transferred
- lists.apache.org: [tomcat-dev] 20190620 [SECURITY][CORRECTION] CVE-2019-10072 Apache Tomcat HTTP/2 DoS mailing-listx_transferred
- lists.apache.org: [tomcat-announce] 20190620 [SECURITY][CORRECTION] CVE-2019-10072 Apache Tomcat HTTP/2 DoS mailing-listx_transferred
- lists.apache.org: [tomcat-users] 20190620 [SECURITY][CORRECTION] CVE-2019-10072 Apache Tomcat HTTP/2 DoS mailing-listx_transferred
- lists.apache.org: [announce] 20190620 [SECURITY][CORRECTION] CVE-2019-10072 Apache Tomcat HTTP/2 DoS mailing-listx_transferred
- lists.fedoraproject.org: FEDORA-2019-1a3f878d27 vendor-advisoryx_transferred
- https://support.f5.com/csp/article/K17321505 x_transferred
- lists.opensuse.org: openSUSE-SU-2019:1673 vendor-advisoryx_transferred
- lists.fedoraproject.org: FEDORA-2019-d66febb5df vendor-advisoryx_transferred
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html x_transferred
- securityfocus.com: 107674 vdb-entryx_transferred
- lists.opensuse.org: openSUSE-SU-2019:1723 vendor-advisoryx_transferred
- lists.opensuse.org: openSUSE-SU-2019:1808 vendor-advisoryx_transferred
- access.redhat.com: RHSA-2019:3929 vendor-advisoryx_transferred
- access.redhat.com: RHSA-2019:3931 vendor-advisoryx_transferred
- debian.org: DSA-4596 vendor-advisoryx_transferred
- seclists.org: 20191229 [SECURITY] [DSA 4596-1] tomcat8 security update mailing-listx_transferred
- https://www.oracle.com/security-alerts/cpujan2020.html x_transferred
- lists.apache.org: [tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/ mailing-listx_transferred
- lists.apache.org: [tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/ mailing-listx_transferred
- lists.apache.org: [tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/ mailing-listx_transferred
- lists.apache.org: [tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/ mailing-listx_transferred
- https://www.oracle.com/security-alerts/cpuapr2020.html x_transferred