Уязвимость CVE-2019-0199: Информация

Описание

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Важность: HIGH (7,5) Вектор: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-0199

Опубликовано: 10 апреля 2019 г.

Изменено: 8 декабря 2023 г.

Идентификатор типа ошибки: CWE-400

Исправленные пакеты

Имя пакета	Ветка	Исправлено в версии	Версия в репозитории	Errata ID	№ Задания	Состояние
tomcat	sisyphus	9.0.37-alt1	9.0.83-alt1_1jpp11	ALT-PU-2020-2892-1	255548	Исправлено
tomcat	p10	9.0.37-alt1	9.0.59-alt1_3jpp11	ALT-PU-2020-2892-1	255548	Исправлено
tomcat	p9	9.0.37-alt1	9.0.37-alt1	ALT-PU-2020-3213-2	258915	Исправлено
tomcat	c10f1	9.0.37-alt1	9.0.59-alt1_3jpp11	ALT-PU-2020-2892-1	255548	Исправлено
tomcat	c9f2	9.0.37-alt0.c9.1	9.0.37-alt0.c9.1	ALT-PU-2021-2858-2	282600	Исправлено
tomcat	p11	9.0.37-alt1	9.0.83-alt1_1jpp11	ALT-PU-2020-2892-1	255548	Исправлено

Ссылки на рекомендации, решения и инструменты

Ссылка	Ресурс
https://security.netapp.com/advisory/ntap-20190419-0001/	Third Party Advisory
https://support.f5.com/csp/article/K17321505
openSUSE-SU-2019:1673
107674
RHSA-2019:3929
RHSA-2019:3931
DSA-4596
20191229 [SECURITY] [DSA 4596-1] tomcat8 security update
https://www.oracle.com/security-alerts/cpujan2020.html
N/A
openSUSE-SU-2019:1808
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
openSUSE-SU-2019:1723
https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995%40%3Cannounce.tomcat.apache.org%3E
[tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/
[tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/
[tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
[tomee-commits] 20190528 [jira] [Closed] (TOMEE-2497) Upgrade Tomcat in TomEE 7.0.x/7.1.x/8.0.x for CVE-2019-0199
[tomcat-users] 20190620 Re: [EXTERNAL] [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
[tomcat-dev] 20190620 [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
[announce] 20190620 [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
[tomcat-announce] 20190620 [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
[tomcat-dev] 20190620 svn commit: r1861711 - in /tomcat/site/trunk: docs/security-8.html docs/security-9.html xdocs/security-8.xml xdocs/security-9.xml
[tomcat-users] 20190620 [SECURITY] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
[tomcat-dev] 20190620 [SECURITY][CORRECTION] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
[tomcat-announce] 20190620 [SECURITY][CORRECTION] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
[tomcat-users] 20190620 [SECURITY][CORRECTION] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
[announce] 20190620 [SECURITY][CORRECTION] CVE-2019-10072 Apache Tomcat HTTP/2 DoS
FEDORA-2019-1a3f878d27
FEDORA-2019-d66febb5df
[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/
[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/
[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/
[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/

Подверженные конфигурации:
1. Конфигурация 1
  cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
  Start including
  9.0.1
  End including
  9.0.14
  cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
  Start including
  8.5.0
  End including
  8.5.37
  cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*
  cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*

Версия: v24.5.3

Наверх

Уязвимость CVE-2019-0199: Информация

Описание

Исправленные пакеты

Ссылки на рекомендации, решения и инструменты

Конфигурация 1