CVE-2024-24549: Apache Tomcat: HTTP/2 header handling DoS
First published: Wed Mar 13 2024(Updated: )
Apache Tomcat is vulnerable to a denial of service, caused by improper input validation by the HTTP/2 header. By sending specially crafted HTTP/2 requests, a remote attacker could exploit this vulnerability to cause a denial of service condition.
Credit: security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.apache.tomcat:tomcat-coyote | >=8.5.0<=8.5.98 | 8.5.99 |
| maven/org.apache.tomcat:tomcat-coyote | >=9.0.0-M1<=9.0.85 | 9.0.86 |
| maven/org.apache.tomcat:tomcat-coyote | >=10.1.0-M1<=10.1.18 | 10.1.19 |
| maven/org.apache.tomcat:tomcat-coyote | >=11.0.0-M1<=11.0.0-M16 | 11.0.0-M17 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=11.0.0-M1<=11.0.0-M16 | 11.0.0-M17 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=10.1.0-M1<=10.1.18 | 10.1.19 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=9.0.0-M1<=9.0.85 | 9.0.86 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=8.5.0<=8.5.98 | 8.5.99 |
| redhat/Apache Tomcat | <11.0.0 | 11.0.0 |
| redhat/Apache Tomcat | <10.1.19 | 10.1.19 |
| redhat/Apache Tomcat | <9.0.86 | 9.0.86 |
| redhat/Apache Tomcat | <8.5.99 | 8.5.99 |
| IBM Db2 Warehouse | <=v3.5 through refresh 10v4.0 through refresh 9v4.5 through refresh 3v4.6 through refresh 6v4.7 through refresh 4v4.8 through refresh 4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2024-24549
- https://lists.apache.org/thread/4c50rmomhbbsdgfjsgwlb51xdwfjdcvg
- https://github.com/apache/tomcat/commit/0cac540a882220231ba7a82330483cbd5f6b1f96
- https://github.com/apache/tomcat/commit/810f49d5ff6d64b704af85d5b8d0aab9ec3c83f5
- https://github.com/apache/tomcat/commit/8e03be9f2698f2da9027d40b9e9c0c9429b74dc0
- https://github.com/apache/tomcat/commit/d07c82194edb69d99b438828fe2cbfadbb207843
- https://security.netapp.com/advisory/ntap-20240402-0002
- https://lists.debian.org/debian-lts-announce/2024/04/msg00001.html
- http://www.openwall.com/lists/oss-security/2024/03/13/3
- https://github.com/advisories/GHSA-7w75-32cg-r6g2 (Advisory)
- https://exchange.xforce.ibmcloud.com/vulnerabilities/285497
- https://www.ibm.com/support/pages/node/7155078 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55/
- https://security.netapp.com/advisory/ntap-20240402-0002/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2269611
- https://access.redhat.com/errata/RHSA-2024:1319
- https://access.redhat.com/errata/RHSA-2024:1318
- https://access.redhat.com/errata/RHSA-2024:1324
- https://access.redhat.com/errata/RHSA-2024:1325
- https://access.redhat.com/errata/RHSA-2024:3308
- https://access.redhat.com/errata/RHSA-2024:3307
- https://access.redhat.com/errata/RHSA-2024:3666
- https://access.redhat.com/errata/RHSA-2024:3814
- https://bugzilla.redhat.com/show_bug.cgi?id=2269607
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/736G4GPZWS2DSQO5WKXO3G6OMZKFEK55
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3UWIS5MMGYDZBLJYT674ZI5AWFHDZ46B
Frequently Asked Questions
What is the severity of CVE-2024-24549?
CVE-2024-24549 has a severity rating of medium due to its potential to cause denial of service.
How do I fix CVE-2024-24549?
To fix CVE-2024-24549, upgrade Apache Tomcat to version 8.5.99, 9.0.86, 10.1.19, or 11.0.0-M17, depending on your version.
What systems are affected by CVE-2024-24549?
CVE-2024-24549 affects multiple versions of Apache Tomcat, specifically those prior to 8.5.99, 9.0.86, 10.1.19, and 11.0.0-M17.
Is there a workaround for CVE-2024-24549?
Currently, the recommendation is to apply the available patches rather than relying on workarounds for CVE-2024-24549.
What type of attack does CVE-2024-24549 allow?
CVE-2024-24549 allows remote attackers to perform denial of service attacks by sending specially crafted HTTP/2 requests.
- agent/title
- agent/type
- agent/first-publish-date
- collector/oss-sec
- source/oss-sec
- alias/CVE-2024-24549
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/author
- agent/weakness
- agent/softwarecombine
- agent/references
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-7w75-32cg-r6g2
- agent/software-canonical-lookup
- agent/severity
- collector/nvd-cve
- source/NVD
- agent/event
- collector/github-advisory
- collector/redhat-bugzilla
- source/Red Hat
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- agent/last-modified-date
- agent/description
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup-request
- package-manager/maven
- package-manager/redhat
- vendor/ibm
- canonical/ibm db2 warehouse
- version/ibm db2 warehouse/v3.5 through refresh 10v4.0 through refresh 9v4.5 through refresh 3v4.6 through refresh 6v4.7 through refresh 4v4.8 through refresh 4