NOTICE: This version of the NSF Unidata web site (archive.unidata.ucar.edu) is no longer being updated.
Current content can be found at unidata.ucar.edu.

To learn about what's going on, see About the Archive Site.

[thredds] Fwd: [SECURITY] CVE-2024-24549 Apache Tomcat - Denial of Service

  • To: THREDDS community <thredds@xxxxxxxxxxxxxxxx>
  • Subject: [thredds] Fwd: [SECURITY] CVE-2024-24549 Apache Tomcat - Denial of Service
  • From: Jennifer Oxelson Ganter <oxelson@xxxxxxxx>
  • Date: Wed, 13 Mar 2024 10:18:45 -0600
Hello all,

Two new high-level CVEs were just issued for Tomcat (CVE-2024-24549 &
CVE-2024-23672).
Please make sure you are running the latest version.



---------- Forwarded message ---------
From: Mark Thomas <markt@xxxxxxxxxx>
Date: Wed, Mar 13, 2024 at 9:46 AM
Subject: [SECURITY] CVE-2024-24549 Apache Tomcat - Denial of Service
To: users@xxxxxxxxxxxxxxxxx <users@xxxxxxxxxxxxxxxxx>
Cc: <announce@xxxxxxxxxx>, announce@xxxxxxxxxxxxxxxxx <
announce@xxxxxxxxxxxxxxxxx>, Tomcat Developers List <dev@xxxxxxxxxxxxxxxxx>


CVE-2024-24549 Apache Tomcat - Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M16
Apache Tomcat 10.1.0-M1 to 10.1.18
Apache Tomcat 9.0.0-M1 to 9.0.85
Apache Tomcat 8.5.0 to 8.5.98

Description:
When processing an HTTP/2 request, if the request exceeded any of the
configured limits for headers, the associated HTTP/2 stream was not
reset until after all of the headers had been processed.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M17 or later
- Upgrade to Apache Tomcat 10.1.19 or later
- Upgrade to Apache Tomcat 9.0.86 or later
- Upgrade to Apache Tomcat 8.5.99 or later

Credit:
This vulnerability was reported responsibly to the Tomcat security team
by Bartek Nowotarski (https://nowotarski.info/).

History:
2024-03-13 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
[4] https://tomcat.apache.org/security-8.html


-- 
------------------------------------------------------------------------------------
Jennifer Oxelson Ganter                                       NSF Unidata
Software Engineer IV                                          P.O. Box 3000
oxelson@xxxxxxxx                                       Boulder, CO 80307
------------------------------------------------------------------------------------
  • 2024 messages navigation, sorted by:
    1. Thread
    2. Subject
    3. Author
    4. Date
    5. ↑ Table Of Contents
  • Search the thredds archives: