Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

Short Name

 HTTP:APACHE:TOMCAT-HTTP2-DOS

Severity

 Major

Recommended

 Yes

Recommended Action

 Drop

Category

 HTTP

Keywords

 Apache Tomcat HTTP2 Connection Window Exhaustion Denial of Service

Release Date

 2019/07/14

Update Number

 3189

Supported Platforms

 srx-17.3+, srx-branch-17.4+, vsrx-15.1+, vsrx3bsd-18.2+

HTTP: Apache Tomcat HTTP2 Connection Window Exhaustion Denial of Service


This signature detects attempts to exploit a known vulnerability against HTTP/2 module of Apache Tomcat. A successful attack can result in a denial-of-service condition.

Extended Description

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Affected Products

  • Apache tomcat 8.5.0
  • Apache tomcat 8.5.1
  • Apache tomcat 8.5.10
  • Apache tomcat 8.5.11
  • Apache tomcat 8.5.12
  • Apache tomcat 8.5.13
  • Apache tomcat 8.5.14
  • Apache tomcat 8.5.15
  • Apache tomcat 8.5.16
  • Apache tomcat 8.5.17
  • Apache tomcat 8.5.18
  • Apache tomcat 8.5.19
  • Apache tomcat 8.5.2
  • Apache tomcat 8.5.20
  • Apache tomcat 8.5.21
  • Apache tomcat 8.5.22
  • Apache tomcat 8.5.23
  • Apache tomcat 8.5.24
  • Apache tomcat 8.5.25
  • Apache tomcat 8.5.26
  • Apache tomcat 8.5.27
  • Apache tomcat 8.5.28
  • Apache tomcat 8.5.29
  • Apache tomcat 8.5.3
  • Apache tomcat 8.5.30
  • Apache tomcat 8.5.31
  • Apache tomcat 8.5.32
  • Apache tomcat 8.5.33
  • Apache tomcat 8.5.34
  • Apache tomcat 8.5.35
  • Apache tomcat 8.5.36
  • Apache tomcat 8.5.37
  • Apache tomcat 8.5.38
  • Apache tomcat 8.5.39
  • Apache tomcat 8.5.4
  • Apache tomcat 8.5.40
  • Apache tomcat 8.5.5
  • Apache tomcat 8.5.6
  • Apache tomcat 8.5.7
  • Apache tomcat 8.5.8
  • Apache tomcat 8.5.9
  • Apache tomcat 9.0.0
  • Apache tomcat 9.0.1
  • Apache tomcat 9.0.10
  • Apache tomcat 9.0.11
  • Apache tomcat 9.0.12
  • Apache tomcat 9.0.13
  • Apache tomcat 9.0.14
  • Apache tomcat 9.0.15
  • Apache tomcat 9.0.16
  • Apache tomcat 9.0.17
  • Apache tomcat 9.0.19
  • Apache tomcat 9.0.2
  • Apache tomcat 9.0.3
  • Apache tomcat 9.0.4
  • Apache tomcat 9.0.5
  • Apache tomcat 9.0.6
  • Apache tomcat 9.0.7
  • Apache tomcat 9.0.8
  • Apache tomcat 9.0.9

References

  • BugTraq: 108874
  • CVE: CVE-2019-10072

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out