5
CVSSv2

CVE-2019-10072

Published: 21/06/2019 Updated: 25/06/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 446
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

A vulnerability in Apache Tomcat could allow an unauthenticated, remote malicious user to cause a denial of service (DoS) condition on a targeted system. The vulnerability is due to an incomplete fix for CVE-2019-0199, which did not address HTTP/2 connection window exhaustion on write. The affected software does not send WINDOW_UPDATE messages for the connection window (stream 0), which could allow clients to cause server-side threads to block. An attacker could exploit this vulnerability to cause thread exhaustion, resulting in a DoS condition. Apache has confirmed the vulnerability and released software updates.

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheTomcat8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 8.5.16, 8.5.17, 8.5.18, 8.5.19, 8.5.20, 8.5.21, 8.5.22, 8.5.23, 8.5.24, 8.5.25, 8.5.26, 8.5.27, 8.5.28, 8.5.29, 8.5.30, 8.5.31, 8.5.32, 8.5.33, 8.5.34, 8.5.35, 8.5.36, 8.5.37, 8.5.38, 8.5.39, 8.5.40, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.0.11, 9.0.12, 9.0.13, 9.0.14, 9.0.15, 9.0.16, 9.0.17, 9.0.19

Vendor Advisories

Synopsis Moderate: Red Hat JBoss Web Server 52 security release Type/Severity Security Advisory: Moderate Topic Updated Red Hat JBoss Web Server 520 packages are now available for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8Red Hat Product Security has rated thi ...
Synopsis Moderate: Red Hat JBoss Web Server 52 security release Type/Severity Security Advisory: Moderate Topic Red Hat JBoss Web Server 520 zip release for RHEL 6, RHEL 7, RHEL 8 and Microsoft Windows is availableRed Hat Product Security has rated this update as having a security impactof Moderate A C ...
Debian Bug report logs - #931131 tomcat9: CVE-2019-10072 Package: src:tomcat9; Maintainer for src:tomcat9 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 26 Jun 2019 18:45:01 UTC Severity: important Tags: security, upstream F ...
Several security issues were fixed in Tomcat 9 ...
Impact: Moderate Public Date: 2019-06-21 CWE: CWE-400 Bugzilla: 1723708: CVE-2019-10072 tomcat: HTTP/2 ...
Several security issues were fixed in Tomcat 8 ...
IBM WebSphere Cast Iron Solution has addressed the following vulnerabilities reported in Apache Tomcat v8 ...

Github Repositories

Aware IM Developer - Server Components, Resources and Dependencies Aware IM is a rapid low-code application development tool that lets you create powerful aesthetically appealing web applications quickly Changelog Software Written in 100% Java programming language Aware IM is based on the plethora of Java technologies such as J2EE application server, JDBC, JMS, JSP/serv

Recent Articles

Yo, sysadmins! Thought Patch Tuesday was big? Oracle says 'hold my Java' with huge 334 security flaw fix bundle
The Register • Shaun Nichols in San Francisco • 15 Jan 2020

House of Larry delivers massive update for 93 products

Oracle has released a sweeping set of security patches across the breadth of its software line.
The January update, delivered one day after Microsoft, Intel, Adobe, and others dropped their scheduled monthly patches, addresses a total of 334 security vulnerabilities across 93 different products from the enterprise giant.
As you may imagine, most IT admins will only need to test and apply a handful of the updates for their specific platforms.
For Oracle's flagship Database Serve...

Oracle Ties Previous All-Time Patch High with January Updates
Threatpost • Tara Seals • 14 Jan 2020

Oracle has patched 334 vulnerabilities across all of its product families in its January 2020 quarterly Critical Patch Update (CPU). Out of these, 43 are critical/severe flaws carrying CVSS scores of 9.1 and above. The CPU ties for Oracle’s previous all-time high for number of patches issued, in July 2019, which overtook its previous record of 308 in July 2017.
The company said in a pre-release announcement that some of the vulnerabilities affect multiple products. “Due to the threat ...