CVE-2019-0199

Published: 10 April 2019

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
tomcat8
Launchpad, Ubuntu, Debian
Upstream
Released (8.5.38-1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (8.5.39-1ubuntu1~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

tomcat9
Launchpad, Ubuntu, Debian
Upstream
Released (9.0.16-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(9.0.16-3~18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist