CVE-2019-0199: Apache Tomcat DoS Vulnerability Alert

Recently, the Apache Tomcat HTTP/2 Denial of Service vulnerability (CVE-2019-0199) was discovered. This vulnerability is caused by the application service allowing a large amount of configuration traffic to be received, and the client can stay connected for a long time without a read or write request. If there are too many connection requests from the client, the server thread can eventually be exhausted, and the attacker can successfully exploit this vulnerability to achieve a denial of service attack on the target.

Apache Tomcat 9

Affected version

  • Apache Tomcat 9.0.0.M1 to 9.0.14
  • Apache Tomcat 8.5.0 to 8.5.37

Unaffected version

  • Apache Tomcat 9.0.16 and later
  • Apache Tomcat 8.5.38 and later

Solution

The vulnerability has been fixed in the new version of Apache Tomcat 9.0.16, 8.5.38. Please, the users update Apache Tomcat as soon as possible.