CVE-2019-0199

First published: Mon Mar 25 2019(Updated: )

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Credit: security@apache.org security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
maven/org.apache.tomcat.embed:tomcat-embed-core	>=8.0.0<8.5.38	8.5.38
maven/org.apache.tomcat.embed:tomcat-embed-core	>=9.0.0<9.0.16	9.0.16
IBM GDE	<=3.0.0.2
Apache Tomcat	>=8.5.0<=8.5.37
Apache Tomcat	>=9.0.1<=9.0.14
Apache Tomcat	=9.0.0-milestone1
Apache Tomcat	=9.0.0-milestone10
Apache Tomcat	=9.0.0-milestone11
Apache Tomcat	=9.0.0-milestone12
Apache Tomcat	=9.0.0-milestone13
Apache Tomcat	=9.0.0-milestone14
Apache Tomcat	=9.0.0-milestone15
Apache Tomcat	=9.0.0-milestone16
Apache Tomcat	=9.0.0-milestone17
Apache Tomcat	=9.0.0-milestone18
Apache Tomcat	=9.0.0-milestone19
Apache Tomcat	=9.0.0-milestone2
Apache Tomcat	=9.0.0-milestone20
Apache Tomcat	=9.0.0-milestone21
Apache Tomcat	=9.0.0-milestone3
Apache Tomcat	=9.0.0-milestone4
Apache Tomcat	=9.0.0-milestone5
Apache Tomcat	=9.0.0-milestone6
Apache Tomcat	=9.0.0-milestone7
Apache Tomcat	=9.0.0-milestone8
Apache Tomcat	=9.0.0-milestone9
Apache Tomcat	=9.0.0-m1
Apache Tomcat	=9.0.0-m10
Apache Tomcat	=9.0.0-m11
Apache Tomcat	=9.0.0-m12
Apache Tomcat	=9.0.0-m13
Apache Tomcat	=9.0.0-m14
Apache Tomcat	=9.0.0-m15
Apache Tomcat	=9.0.0-m16
Apache Tomcat	=9.0.0-m17
Apache Tomcat	=9.0.0-m18
Apache Tomcat	=9.0.0-m19
Apache Tomcat	=9.0.0-m2
Apache Tomcat	=9.0.0-m20
Apache Tomcat	=9.0.0-m21
Apache Tomcat	=9.0.0-m3
Apache Tomcat	=9.0.0-m4
Apache Tomcat	=9.0.0-m5
Apache Tomcat	=9.0.0-m6
Apache Tomcat	=9.0.0-m7
Apache Tomcat	=9.0.0-m8
Apache Tomcat	=9.0.0-m9
redhat/jws5-ecj	<0:4.12.0-1.redhat_1.1.el6	0:4.12.0-1.redhat_1.1.el6
redhat/jws5-javapackages-tools	<0:3.4.1-5.15.11.el6	0:3.4.1-5.15.11.el6
redhat/jws5-jboss-logging	<0:3.3.2-1.Final_redhat_00001.1.el6	0:3.3.2-1.Final_redhat_00001.1.el6
redhat/jws5-tomcat	<0:9.0.21-10.redhat_4.1.el6	0:9.0.21-10.redhat_4.1.el6
redhat/jws5-tomcat-native	<0:1.2.21-34.redhat_34.el6	0:1.2.21-34.redhat_34.el6
redhat/jws5-tomcat-vault	<0:1.1.8-1.Final_redhat_1.1.el6	0:1.1.8-1.Final_redhat_1.1.el6
redhat/jws5-ecj	<0:4.12.0-1.redhat_1.1.el7	0:4.12.0-1.redhat_1.1.el7
redhat/jws5-javapackages-tools	<0:3.4.1-5.15.11.el7	0:3.4.1-5.15.11.el7
redhat/jws5-jboss-logging	<0:3.3.2-1.Final_redhat_00001.1.el7	0:3.3.2-1.Final_redhat_00001.1.el7
redhat/jws5-tomcat	<0:9.0.21-10.redhat_4.1.el7	0:9.0.21-10.redhat_4.1.el7
redhat/jws5-tomcat-native	<0:1.2.21-34.redhat_34.el7	0:1.2.21-34.redhat_34.el7
redhat/jws5-tomcat-vault	<0:1.1.8-1.Final_redhat_1.1.el7	0:1.1.8-1.Final_redhat_1.1.el7
redhat/jws5-ecj	<0:4.12.0-1.redhat_1.1.el8	0:4.12.0-1.redhat_1.1.el8
redhat/jws5-javapackages-tools	<0:3.4.1-5.15.11.el8	0:3.4.1-5.15.11.el8
redhat/jws5-jboss-logging	<0:3.3.2-1.Final_redhat_00001.1.el8	0:3.3.2-1.Final_redhat_00001.1.el8
redhat/jws5-tomcat	<0:9.0.21-10.redhat_4.1.el8	0:9.0.21-10.redhat_4.1.el8
redhat/jws5-tomcat-native	<0:1.2.21-34.redhat_34.el8	0:1.2.21-34.redhat_34.el8
redhat/jws5-tomcat-vault	<0:1.1.8-1.Final_redhat_1.1.el8	0:1.1.8-1.Final_redhat_1.1.el8
debian/tomcat9		9.0.31-1~deb10u6 9.0.31-1~deb10u10 9.0.43-2~deb11u6 9.0.43-2~deb11u9 9.0.70-2

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/severity
agent/softwarecombine
agent/tags
agent/type
agent/weakness
collector/github-advisory
alias/GHSA-qcxh-w3j9-58qr
alias/CVE-2019-0199
collector/github-advisory-latest
collector/ibm-support
collector/nvd-api
collector/nvd-cve
collector/nvd-index
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
collector/redhat-cve
collector/security-tracker-debian
package-manager/maven
vendor/ibm
canonical/ibm gde
version/ibm gde/3.0.0.2
vendor/apache
canonical/apache tomcat
version/apache tomcat/8.5.0
version/apache tomcat/8.5.37
version/apache tomcat/9.0.1
version/apache tomcat/9.0.14
version/apache tomcat/9.0.0-milestone1
version/apache tomcat/9.0.0-milestone10
version/apache tomcat/9.0.0-milestone11
version/apache tomcat/9.0.0-milestone12
version/apache tomcat/9.0.0-milestone13
version/apache tomcat/9.0.0-milestone14
version/apache tomcat/9.0.0-milestone15
version/apache tomcat/9.0.0-milestone16
version/apache tomcat/9.0.0-milestone17
version/apache tomcat/9.0.0-milestone18
version/apache tomcat/9.0.0-milestone19
version/apache tomcat/9.0.0-milestone2
version/apache tomcat/9.0.0-milestone20
version/apache tomcat/9.0.0-milestone21
version/apache tomcat/9.0.0-milestone3
version/apache tomcat/9.0.0-milestone4
version/apache tomcat/9.0.0-milestone5
version/apache tomcat/9.0.0-milestone6
version/apache tomcat/9.0.0-milestone7
version/apache tomcat/9.0.0-milestone8
version/apache tomcat/9.0.0-milestone9
version/apache tomcat/9.0.0-m1
version/apache tomcat/9.0.0-m10
version/apache tomcat/9.0.0-m11
version/apache tomcat/9.0.0-m12
version/apache tomcat/9.0.0-m13
version/apache tomcat/9.0.0-m14
version/apache tomcat/9.0.0-m15
version/apache tomcat/9.0.0-m16
version/apache tomcat/9.0.0-m17
version/apache tomcat/9.0.0-m18
version/apache tomcat/9.0.0-m19
version/apache tomcat/9.0.0-m2
version/apache tomcat/9.0.0-m20
version/apache tomcat/9.0.0-m21
version/apache tomcat/9.0.0-m3
version/apache tomcat/9.0.0-m4
version/apache tomcat/9.0.0-m5
version/apache tomcat/9.0.0-m6
version/apache tomcat/9.0.0-m7
version/apache tomcat/9.0.0-m8
version/apache tomcat/9.0.0-m9
package-manager/redhat
package-manager/debian

CVE-2019-0199

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Company

Resources

Contact