CVE-2019-10072
Denial of Service vulnerability in tomcat-embed-core (Maven)
What is CVE-2019-10072 About?
This vulnerability is a Denial of Service (DoS) in Apache Tomcat related to incomplete HTTP/2 connection window exhaustion handling. Attackers can prevent the server from sending WINDOW_UPDATE messages, leading to thread exhaustion and service disruption. Exploitation is relatively straightforward by manipulating HTTP/2 flow control.
Affected Software
- org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <8.5.41
- >9.0.0.M1, <9.0.20
Technical Details
The vulnerability is a bypass of a previous fix for CVE-2019-0199, specifically impacting HTTP/2 connection window management. In Apache Tomcat, when processing HTTP/2 requests, clients can intentionally refrain from sending WINDOW_UPDATE messages for the connection window (stream 0). This action prevents the server from updating its send window, leading to server-side threads blocking indefinitely as they wait for an increased window size. Eventually, all available threads become exhausted, resulting in a Denial of Service condition for the server.
What is the Impact of CVE-2019-10072?
Successful exploitation may allow attackers to exhaust server resources, cause the application to become unresponsive, and lead to a complete denial of service for legitimate users.
What is the Exploitability of CVE-2019-10072?
Exploitation of this vulnerability involves sending specific HTTP/2 traffic to the server. The complexity is moderate, requiring an understanding of HTTP/2 flow control mechanisms. No authentication is required, as the attack targets the connection handling itself. This is a remote exploitation scenario, requiring network access to the vulnerable Tomcat instance. The primary risk factor is direct exposure of the HTTP/2 endpoint on the vulnerable server, allowing malicious clients to initiate and maintain connections without proper flow control.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-10072?
About the Fix from Resolved Security
Available Upgrade Options
- org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <8.5.41 → Upgrade to 8.5.41
- org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.M1, <9.0.20 → Upgrade to 9.0.20
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3Cannounce.tomcat.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://github.com/apache/tomcat/commit/0bcd69c9dd8ae0ff424f2cd46de51583510b7f35
- https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a@%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/df1a2c1b87c8a6c500ecdbbaf134c7f1491c8d79d98b48c6b9f0fa6a%40%3Cannounce.tomcat.apache.org%3E
- https://tomcat.apache.org/security-9.html
- https://security.netapp.com/advisory/ntap-20190625-0002
- https://usn.ubuntu.com/4128-1/
- https://github.com/apache/tomcat/commit/7f748eb6bfaba5207c89dbd7d5adf50fae847145
What are Similar Vulnerabilities to CVE-2019-10072?
Similar Vulnerabilities: CVE-2019-10081 , CVE-2019-0199 , CVE-2015-5182 , CVE-2014-0050 , CVE-2019-12411
