5
CVSSv2

CVE-2019-0199

Published: 10/04/2019 Updated: 28/05/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 446
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

A vulnerability in Apache Tomcat could allow an unauthenticated, remote malicious user to cause a denial of service (DoS) condition on a targeted system. The vulnerability is due to a resource exhaustion condition in the HTTP/2 implementation of the affected software. An attacker could exploit this vulnerability by keeping streams that use the blocking I/O of the Servlet API open for requests. A successful exploit could result in a DoS condition on the targeted system. Apache has confirmed the vulnerability and released software updates.

Vulnerability Trend

Vendor Advisories

Several security issues were fixed in Tomcat 9 ...
Debian Bug report logs - #931131 tomcat9: CVE-2019-10072 Package: src:tomcat9; Maintainer for src:tomcat9 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 26 Jun 2019 18:45:01 UTC Severity: important Tags: security, upstream F ...
Several security issues were fixed in Tomcat 8 ...
Synopsis Important: Red Hat support for Spring Boot 2112 security and bug fix update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat OpenShift Application RuntimesRed Hat Product Security has rated this update as having a security impact of Important A Common Vuln ...
Synopsis Moderate: Red Hat JBoss Web Server 52 security release Type/Severity Security Advisory: Moderate Topic Updated Red Hat JBoss Web Server 520 packages are now available for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8Red Hat Product Security has rated thi ...
The HTTP/2 implementation in Apache Tomcat accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually lea ...
The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 900M1 to 9019 and 850 to 8540 By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a ...
IBM WebSphere Cast Iron Solution & App Connect Professional has addressed the following vulnerabilities reported in Apache Tomcat ...
When the default servlet in Apache Tomcat returned a redirect to a directory (eg redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice (CVE-2018-11784 ) When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in A ...
Synopsis Moderate: Red Hat JBoss Web Server 52 security release Type/Severity Security Advisory: Moderate Topic Red Hat JBoss Web Server 520 zip release for RHEL 6, RHEL 7, RHEL 8 and Microsoft Windows is availableRed Hat Product Security has rated this update as having a security impactof Moderate A C ...
Several issues were discovered in the Tomcat servlet and JSP engine, which could result in session fixation attacks, information disclosure, cross-site scripting, denial of service via resource exhaustion and insecure redirects For the oldstable distribution (stretch), these problems have been fixed in version 8550-0+deb9u1 This update also req ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4596-1 security () debian org wwwdebianorg/security/ Moritz Muehlenhoff December 27, 2019 wwwdebianorg/security/faq ...

Github Repositories

Aware IM Application Stack

Aware IM Server Stack Servers, Components, Frameworks, Dependencies and other resources Aware IM is a rapid low-code application development tool that lets you create powerful aesthetically appealing web applications quickly Changelog Software Written in 100% Java programming language Aware IM is based on the plethora of Java technologies such as J2EE application server,

Cyber Securiy MOOC Unsecure project

LINK: githubcom/ilmari666/cybsec Based on the Springboot-template as per course material that can be installed and run with suitably configured Netbeans and Maven Five flaws as per wwwowasporg/images/7/72/OWASP_Top_10-2017_%28en%29pdfpdf This document can be read at githubcom/ilmari666/cybsec/blob/master/READMEmd FLAW 1: A2:2017 Broken Authentica

References

CWE-400http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00090.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-07/msg00013.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-07/msg00054.htmlhttp://www.securityfocus.com/bid/107674https://access.redhat.com/errata/RHSA-2019:3929https://access.redhat.com/errata/RHSA-2019:3931https://lists.apache.org/thread.html/158ab719cf60448ddbb074798f09152fdb572fc8f781e70a56118d1a@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/4c438fa4c78cb1ce8979077f668ab7145baf83e7c59f2faf7eccf094@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/7bb193bc68b28d21ff1c726fd38bea164deb6333b59eec2eb3661da6@%3Cusers.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/9fe25f98bac6d66f8a663a15c37a98bc2d8f8bbed1d408791a3e4067@%3Cusers.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/a7a201bd23e67fd3326c9b22b814dd0537d3270b3b54a768e2e7ef50@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/ac0185ce240a711b542a55bccf9349ab0c2f343d70cf7835e08fabc9@%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/cf4eb2bd2083cebb3602a293c653f9a7faa96c86f672c876f25b37ef@%3Cannounce.apache.org%3Ehttps://lists.apache.org/thread.html/dddb3590bac28fbe89f69f5ccbe26283d014ddc691abdd042de14600@%3Cannounce.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995@%3Cannounce.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/e56886e1bac9319ecce81b3612dd7a1a43174a3a741a1c805e16880e@%3Ccommits.tomee.apache.org%3Ehttps://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/e87733036e8c84ea648cdcdca3098f3c8a897e2652c33062b2b1535c@%3Cusers.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NPHQEL5AQ6LZSZD2Y6TYZ4RC3WI7NXJ3/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZQTZ5BJ5F4KV6N53SGNKSW3UY5DBIQ46/https://seclists.org/bugtraq/2019/Dec/43https://security.netapp.com/advisory/ntap-20190419-0001/https://support.f5.com/csp/article/K17321505https://www.debian.org/security/2019/dsa-4596https://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.rapid7.com/db/vulnerabilities/apache-tomcat-cve-2019-0199https://nvd.nist.govhttps://usn.ubuntu.com/4128-2/https://tools.cisco.com/security/center/viewAlert.x?alertId=59989