A vulnerability was found in Apache Tomcat version from 9.0.0.M1 to 9.0.14 inclusive and 8.5.0 to 8.5.37 inclusive. The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. References: https://mail-archives.apache.org/mod_mbox/tomcat-announce/201903.mbox/browser http://tomcat.apache.org/security-9.html http://tomcat.apache.org/security-8.html
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1693326]
Statement: pki-servlet-container does not use HTTP/2 in its default configuration.
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2019:3931 https://access.redhat.com/errata/RHSA-2019:3931
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.2 on RHEL 7 Red Hat JBoss Web Server 5.2 on RHEL 6 Red Hat JBoss Web Server 5.2 on RHEL 8 Via RHSA-2019:3929 https://access.redhat.com/errata/RHSA-2019:3929
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-0199
This issue has been addressed in the following products: Red Hat Runtimes Spring Boot 2.1.12 Via RHSA-2020:2366 https://access.redhat.com/errata/RHSA-2020:2366