CVE-2019-10072

Published: 21 June 2019

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
tomcat8
Launchpad, Ubuntu, Debian
Upstream
Released (8.5.41)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (8.5.39-1ubuntu1~18.04.3)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/apache/tomcat/commit/0bcd69c
Upstream: https://github.com/apache/tomcat/commit/8d14c6f
tomcat9
Launchpad, Ubuntu, Debian
Upstream
Released (9.0.20)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (9.0.16-3ubuntu0.18.04.1)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/apache/tomcat/commit/7f748eb
Upstream: https://github.com/apache/tomcat/commit/ada725a