CVE-2019-0199

HIGH

Apache Tomcat 8.5.0-8.5.37 and 9.0.0.M1-9.0.14 - Denial of Service via HTTP/2 Stream Exhaustion

Title source: llm
STIX 2.1

Description

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

References (35)

Core 35
Core References
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190419-0001/
Vendor Advisory x_refsource_confirm
https://support.f5.com/csp/article/K17321505
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/107674
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3929
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3931
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2019/dsa-4596
Mailing List mailing-list x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Dec/43

Scores

CVSS v3 7.5
EPSS 0.6558
EPSS Percentile 98.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-400
Status published
Products (6)
apache/tomcat 9.0.0 milestone1 (21 CPE variants)
apache/tomcat 8.5.0 - 8.5.37
org.apache.tomcat/tomcat-coyote 8.0.0 - 8.5.38Maven
org.apache.tomcat/tomcat-coyote 9.0.0 - 9.0.16Maven
org.apache.tomcat.embed/tomcat-embed-core 8.0.0 - 8.5.38Maven
org.apache.tomcat.embed/tomcat-embed-core 9.0.0 - 9.0.16Maven
Published Apr 10, 2019
Tracked Since Feb 18, 2026