CVE-2019-0199
Denial of Service vulnerability in tomcat-embed-core (Maven)
What is CVE-2019-0199 About?
This vulnerability allows for a Denial of Service (DoS) in Apache Tomcat's HTTP/2 implementation. Attackers can exploit it by sending excessive SETTINGS frames or keeping streams open without data transfer, leading to thread exhaustion. This vulnerability is relatively easy to exploit as it primarily relies on manipulating HTTP/2 stream behavior.
Affected Software
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0, <9.0.16
- >8.0.0, <8.5.38
Technical Details
The HTTP/2 implementation in Apache Tomcat is susceptible to a Denial of Service attack due to two main weaknesses. Firstly, it accepts an excessive number of SETTINGS frames from clients, which can consume server resources. Secondly, it permits clients to maintain open HTTP/2 streams without actively sending or receiving request/response data. When these prolonged open streams are associated with requests utilizing the Servlet API's blocking I/O, server-side processing threads become perpetually blocked. Over time, this malicious activity leads to the exhaustion of the thread pool, preventing the server from handling legitimate requests and ultimately causing a Denial of Service.
What is the Impact of CVE-2019-0199?
Successful exploitation may allow attackers to render the affected service unavailable, disrupting business operations and legitimate user access.
What is the Exploitability of CVE-2019-0199?
Exploitation for this Denial of Service vulnerability is likely of low to moderate complexity. Prerequisites involve the server running affected versions of Apache Tomcat with HTTP/2 enabled. No explicit authentication or privilege requirements are mentioned, suggesting an unauthenticated remote attacker could exploit this vulnerability. The attack is initiated remotely over the network. Special conditions include the server utilizing blocking I/O for requests. Risk factors that increase exploitation likelihood include publicly accessible HTTP/2 endpoints and a lack of rate limiting or resource consumption monitoring on the server, allowing an attacker to easily exhaust server resources.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-0199?
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >8.0.0, <8.5.38 → Upgrade to 8.5.38
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0, <9.0.16 → Upgrade to 9.0.16
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/e1b0b273b6e8ddcc72c9023bc2394b1276fc72664144bf21d0a87995@%3Cannounce.tomcat.apache.org%3E
- https://seclists.org/bugtraq/2019/Dec/43
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
What are Similar Vulnerabilities to CVE-2019-0199?
Similar Vulnerabilities: CVE-2021-26690 , CVE-2022-22965 , CVE-2023-34035 , CVE-2020-13934 , CVE-2020-1938
