Your submission was sent successfully! Close

CVE-2019-10072

Published: 21 June 2019

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
tomcat8
Launchpad, Ubuntu, Debian
bionic
Released (8.5.39-1ubuntu1~18.04.3)
cosmic Ignored
(reached end-of-life)
disco Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (8.5.41)
xenial Not vulnerable
(code not present)
tomcat9
Launchpad, Ubuntu, Debian
bionic
Released (9.0.16-3ubuntu0.18.04.1)
cosmic Ignored
(reached end-of-life)
disco
Released (9.0.16-3ubuntu0.19.04.1)
precise Does not exist

trusty Does not exist

upstream
Released (9.0.20)
xenial Does not exist