Incomplete Cleanup vulnerability in Apache Tomcat. When recycling various internal objects in Apache Tomcat from 11.0.0-M1 up to and including 11.0.0-M11, from 10.1.0-M1 up to and including 10.1.13, from 9.0.0-M1 up to and including 9.0.80 and from 8.5.0 up to and including 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue. (CVE-2023-42795) The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-44487) Improper Input Validation vulnerability in Apache Tomcat. Tomcat from 11.0.0-M1 up to and including 11.0.0-M11, from 10.1.0-M1 up to and including 10.1.13, from 9.0.0-M1 up to and including 9.0.81 and from 8.5.0 up to and including 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue. (CVE-2023-45648)
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
ietf http 2.0 |
||
nghttp2 nghttp2 |
||
netty netty |
||
envoyproxy envoy 1.27.0 |
||
envoyproxy envoy 1.26.4 |
||
envoyproxy envoy 1.25.9 |
||
envoyproxy envoy 1.24.10 |
||
eclipse jetty |
||
caddyserver caddy |
||
golang http2 |
||
golang go |
||
golang networking |
||
f5 big-ip analytics |
||
f5 big-ip policy enforcement manager |
||
f5 big-ip local traffic manager |
||
f5 big-ip link controller |
||
f5 big-ip global traffic manager |
||
f5 big-ip fraud protection service |
||
f5 big-ip domain name system |
||
f5 big-ip application security manager |
||
f5 big-ip application acceleration manager |
||
f5 big-ip advanced firewall manager |
||
f5 big-ip access policy manager |
||
f5 big-ip advanced web application firewall |
||
f5 big-ip application visibility and reporting |
||
f5 big-ip carrier-grade nat |
||
f5 big-ip ddos hybrid defender |
||
f5 big-ip ssl orchestrator |
||
f5 big-ip webaccelerator |
||
f5 big-ip websafe |
||
f5 big-ip access policy manager 17.1.0 |
||
f5 big-ip advanced firewall manager 17.1.0 |
||
f5 big-ip advanced web application firewall 17.1.0 |
||
f5 big-ip analytics 17.1.0 |
||
f5 big-ip application acceleration manager 17.1.0 |
||
f5 big-ip application security manager 17.1.0 |
||
f5 big-ip application visibility and reporting 17.1.0 |
||
f5 big-ip carrier-grade nat 17.1.0 |
||
f5 big-ip ddos hybrid defender 17.1.0 |
||
f5 big-ip domain name system 17.1.0 |
||
f5 big-ip fraud protection service 17.1.0 |
||
f5 big-ip global traffic manager 17.1.0 |
||
f5 big-ip link controller 17.1.0 |
||
f5 big-ip local traffic manager 17.1.0 |
||
f5 big-ip policy enforcement manager 17.1.0 |
||
f5 big-ip ssl orchestrator 17.1.0 |
||
f5 big-ip webaccelerator 17.1.0 |
||
f5 big-ip websafe 17.1.0 |
||
f5 nginx plus r30 |
||
f5 nginx plus |
||
f5 nginx plus r29 |
||
f5 big-ip next 20.0.1 |
||
f5 big-ip next service proxy for kubernetes |
||
f5 nginx |
||
f5 nginx ingress controller |
||
apache tomcat 11.0.0 |
||
apache tomcat |
||
apple swiftnio http\\/2 |
||
grpc grpc 1.57.0 |
||
grpc grpc |
||
microsoft windows server 2016 - |
||
microsoft windows server 2019 - |
||
microsoft windows server 2022 - |
||
microsoft windows 10 22h2 |
||
microsoft windows 10 1809 |
||
microsoft windows 11 21h2 |
||
microsoft windows 11 22h2 |
||
microsoft windows 10 1607 |
||
microsoft .net |
||
microsoft windows 10 21h2 |
||
microsoft visual studio 2022 |
||
microsoft asp.net core |
||
microsoft azure kubernetes service |
||
nodejs node.js |
||
microsoft cbl-mariner |
||
dena h2o |
||
facebook proxygen |
||
apache traffic server |
||
apache apisix |
||
amazon opensearch data prepper |
||
debian debian linux 10.0 |
||
debian debian linux 11.0 |
||
debian debian linux 12.0 |
||
kazu-yamamoto http2 |
||
istio istio |
||
varnish cache project varnish cache |
||
traefik traefik 3.0.0 |
||
traefik traefik |
||
projectcontour contour |
||
linkerd linkerd 2.13.0 |
||
linkerd linkerd 2.13.1 |
||
linkerd linkerd 2.14.0 |
||
linkerd linkerd 2.14.1 |
||
linkerd linkerd |
||
linecorp armeria |
||
redhat enterprise linux 6.0 |
||
redhat jboss enterprise application platform 6.0.0 |
||
redhat jboss fuse 6.0.0 |
||
redhat satellite 6.0 |
||
redhat jboss enterprise application platform 7.0.0 |
||
redhat decision manager 7.0 |
||
redhat jboss core services - |
||
redhat enterprise linux 8.0 |
||
redhat single sign-on 7.0 |
||
redhat jboss fuse 7.0.0 |
||
redhat process automation 7.0 |
||
redhat jboss data grid 7.0.0 |
||
redhat quay 3.0.0 |
||
redhat openshift container platform 4.0 |
||
redhat openstack platform 16.1 |
||
redhat advanced cluster management for kubernetes 2.0 |
||
redhat build of quarkus - |
||
redhat integration service registry - |
||
redhat integration camel k - |
||
redhat openshift service mesh 2.0 |
||
redhat jboss a-mq 7 |
||
redhat 3scale api management platform 2.0 |
||
redhat ceph storage 5.0 |
||
redhat openstack platform 16.2 |
||
redhat enterprise linux 9.0 |
||
redhat ansible automation platform 2.0 |
||
redhat integration camel for spring boot - |
||
redhat migration toolkit for applications 6.0 |
||
redhat openshift developer tools and services - |
||
redhat openshift api for data protection - |
||
redhat openshift serverless - |
||
redhat build of optaplanner 8.0 |
||
redhat openshift data science - |
||
redhat advanced cluster security 4.0 |
||
redhat advanced cluster security 3.0 |
||
redhat cert-manager operator for red hat openshift - |
||
redhat openshift dev spaces - |
||
redhat cost management - |
||
redhat migration toolkit for virtualization - |
||
redhat jboss a-mq streams - |
||
redhat cryostat 2.0 |
||
redhat network observability operator - |
||
redhat node healthcheck operator - |
||
redhat openshift gitops - |
||
redhat openshift virtualization 4 |
||
redhat logging subsystem for red hat openshift - |
||
redhat openshift pipelines - |
||
redhat openshift sandboxed containers - |
||
redhat openshift secondary scheduler operator - |
||
redhat openshift container platform assisted installer - |
||
redhat certification for red hat enterprise linux 9.0 |
||
redhat certification for red hat enterprise linux 8.0 |
||
redhat migration toolkit for containers - |
||
redhat openstack platform 17.1 |
||
redhat openshift - |
||
redhat run once duration override operator - |
||
redhat service interconnect 1.0 |
||
redhat openshift distributed tracing - |
||
redhat support for spring boot - |
||
redhat web terminal - |
||
redhat node maintenance operator - |
||
redhat machine deletion remediation operator - |
||
redhat fence agents remediation operator - |
||
redhat self node remediation operator - |
||
redhat service_telemetry_framework 1.5 |
||
fedoraproject fedora 37 |
||
fedoraproject fedora 38 |
||
netapp astra control center - |
||
akka http server |
||
konghq kong gateway |
||
jenkins jenkins |
||
apache solr |
||
openresty openresty |
||
cisco unified contact center enterprise - |
||
cisco prime infrastructure |
||
cisco secure malware analytics |
||
cisco secure dynamic attributes connector |
||
cisco firepower threat defense |
||
cisco fog director |
||
cisco ios xe |
||
cisco prime network registrar |
||
cisco prime cable provisioning |
||
cisco prime access registrar |
||
cisco data center network manager - |
||
cisco iot field network director |
||
cisco ios xr |
||
cisco crosswork zero touch provisioning |
||
cisco crosswork data gateway 5.0 |
||
cisco crosswork data gateway |
||
cisco expressway |
||
cisco connected mobile experiences |
||
cisco telepresence video communication server |
||
cisco unified contact center domain manager - |
||
cisco unified contact center enterprise - live data server |
||
cisco unified contact center management portal - |
||
cisco unified attendant console advanced - |
||
cisco enterprise chat and email - |
||
cisco ultra cloud core - session management function |
||
cisco ultra cloud core - serving gateway function |
||
cisco ultra cloud core - policy control function |
||
cisco ultra cloud core - policy control function 2024.01.0 |
||
cisco secure_web_appliance_firmware |
||
cisco nx-os |
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Botnet storm drowned last record with 398 million requests per second
A zero-day vulnerability in the HTTP/2 protocol was exploited to launch the largest distributed denial-of-service (DDoS) attack on record, according to Cloudflare. Surpassing 398 million requests per second, the attack is believed to be more than five times larger than the previous record of 71 million requests per second. Google, Cloudflare, and AWS led a coordinated vulnerability disclosure on Tuesday for the flaw tracked as CVE-2023-44487 or Rapid Reset. All three have been monitoring applica...
Topics Security Off-Prem On-Prem Software Offbeat Special Features Vendor Voice Vendor Voice Resources Happy Halloween! Security bugs under attack squashed, more flaws fixed Farewell WordPad, we hardly knew ye
Patch Tuesday Microsoft on Tuesday issued more than 100 security updates to fix flaws in its products, including two bugs that are already under active attack, as well as addressing an HTTP/2 weakness that has also been exploited in the wild. That last one – tracked as CVE-2023-44487 aka Rapid Reset – is an HTTP/2 protocol vulnerability that has been abused since August to launch massive distributed denial of service (DDoS) attacks. Microsoft, Amazon, Google, and Cloudflare all released miti...