An issue has been found in Apache Tomcat before 8.5.57 and before 9.0.37, where an h2c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
An issue has been found in Apache Tomcat before 8.5.57 and before 9.0.37, where an h4c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.57 https://github.com/apache/tomcat/commit/12d715676038efbf9c728af10163f8277fc019d5 https://github.com/apache/tomcat/commit/172977f04a5215128f1e278a688983dcd230f399