===================================================================== CERT-Renater Note d'Information No. 2024/VULN124 _____________________________________________________________________ DATE : 14/03/2024 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Tomcat versions prior to 11.0.0-M17, 10.1.19, 9.0.86, 8.5.99. ===================================================================== https://lists.apache.org/thread/9hm9jd8co66665qxo0wp0jgopwt905o5 https://lists.apache.org/thread/co52zktj87g54602ng1o9399srdco7qt _____________________________________________________________________ [SECURITY] CVE-2024-24549 Apache Tomcat - Denial of Service CVE-2024-24549 Apache Tomcat - Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M16 Apache Tomcat 10.1.0-M1 to 10.1.18 Apache Tomcat 9.0.0-M1 to 9.0.85 Apache Tomcat 8.5.0 to 8.5.98 Description: When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M17 or later - Upgrade to Apache Tomcat 10.1.19 or later - Upgrade to Apache Tomcat 9.0.86 or later - Upgrade to Apache Tomcat 8.5.99 or later Credit: This vulnerability was reported responsibly to the Tomcat security team by Bartek Nowotarski (https://nowotarski.info/). History: 2024-03-13 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html _____________________________________________________________________ [SECURITY] CVE-2024-23672 Apache Tomcat - Denial of Service CVE-2024-23672 Apache Tomcat - Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M16 Apache Tomcat 10.1.0-M1 to 10.1.18 Apache Tomcat 9.0.0-M1 to 9.0.85 Apache Tomcat 8.5.0 to 8.5.98 Description: It was possible for a WebSocket client to keep a WebSocket connection open leading to increased resource consumption. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M17 or later - Upgrade to Apache Tomcat 10.1.19 or later - Upgrade to Apache Tomcat 9.0.86 or later - Upgrade to Apache Tomcat 8.5.99 or later History: 2024-03-13 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================